The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold by leveraging a compromised or malicious HTTP endpoint. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts that may not be captured by traditional detection methods.
YARA Rule
rule zhCat
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhCat -l -h -tp 1234"
$s2 = "ABC ( A Big Company )" wide
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform a scheduled maintenance task that involves downloading a script from a trusted internal repository.
Filter/Exclusion: Exclude events where the source IP is from the internal network and the command line contains powershell.exe with a known maintenance script path.
Scenario: A Windows Task Scheduler job is configured to run a legitimate update script that temporarily accesses a remote HTTP endpoint for configuration data.
Filter/Exclusion: Exclude events where the process is schtasks.exe and the URL matches a known internal update server.
Scenario: A Docker container is pulling a base image from a public registry like Docker Hub as part of a CI/CD pipeline.
Filter/Exclusion: Exclude events where the process is dockerd and the URL contains docker.io or hub.docker.com.
Scenario: A Windows Update process is downloading updates from Microsoft’s update servers.
Filter/Exclusion: Exclude events where the process is wuauclt.exe and the URL starts with https://download.microsoft.com.
Scenario: A log management tool like Splunk or ELK Stack is configured to fetch logs from a remote server for centralized logging.
Filter/Exclusion: Exclude events where the process is splunkd or logstash and the URL matches a known internal log server.