The Zlib Backdoor detection identifies potential adversary activity involving compressed malicious payloads, which may indicate the use of evasion techniques to bypass standard security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced threats that leverage compression-based obfuscation.
YARA Rule
rule Zlib_Backdoor
{
meta:
author = "Cylance SPEAR Team"
/* String
C7 45 FC 00 04 00 00 mov [ebp+Memory], 400h
C6 45 D8 50 mov [ebp+Str], 'P'
C6 45 D9 72 mov [ebp+var_27], 'r'
C6 45 DA 6F mov [ebp+var_26], 'o'
C6 45 DB 78 mov [ebp+var_25], 'x'
C6 45 DC 79 mov [ebp+var_24], 'y'
C6 45 DD 2D mov [ebp+var_23], '-'
C6 45 DE 41 mov [ebp+var_22], 'A'
C6 45 DF 75 mov [ebp+var_21], 'u'
C6 45 E0 74 mov [ebp+var_20], 't'
C6 45 E1 68 mov [ebp+var_1F], 'h'
C6 45 E2 65 mov [ebp+var_1E], 'e'
C6 45 E3 6E mov [ebp+var_1D], 'n'
C6 45 E4 74 mov [ebp+var_1C], 't'
C6 45 E5 69 mov [ebp+var_1B], 'i'
C6 45 E6 63 mov [ebp+var_1A], 'c'
C6 45 E7 61 mov [ebp+var_19], 'a'
C6 45 E8 74 mov [ebp+var_18], 't'
C6 45 E9 65 mov [ebp+var_17], 'e'
C6 45 EA 3A mov [ebp+var_16], ':'
C6 45 EB 20 mov [ebp+var_15], ' '
C6 45 EC 4E mov [ebp+var_14], 'N'
C6 45 ED 54 mov [ebp+var_13], 'T'
C6 45 EE 4C mov [ebp+var_12], 'L'
C6 45 EF 4D mov [ebp+var_11], 'M'
C6 45 F0 20 mov [ebp+var_10], ' '
*/
strings:
$auth = {C6 45 D8 50 C6 45 D9 72 C6 45 DA 6F C6 45 DB 78 C6 45 DC 79 C6 45 DD 2D}
$auth2 = {C7 45 FC 00 04 00 00 C6 45 ?? 50 C6 45 ?? 72 C6 45 ?? 6F}
$ntlm = "NTLM" wide
condition:
($auth or $auth2) and $ntlm
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System Update via Chocolatey
Description: A legitimate system update using Chocolatey installs a package that includes a zlib-compressed file, which triggers the Zlib_Backdoor rule.
Filter/Exclusion: Check the process.name for choco.exe or chocolatey.exe and exclude any files downloaded from chocolatey.org or github.com.
Scenario: Scheduled Backup Job Using 7-Zip
Description: A scheduled backup job using 7-Zip compresses files using zlib, which may match the Zlib_Backdoor YARA signature.
Filter/Exclusion: Filter by process.name containing 7z.exe and check the file.path for known backup directories like C:\ProgramData\7-Zip\ or C:\Backups\.
Scenario: Admin Task Using PowerShell to Compress Logs
Description: An admin uses PowerShell to compress log files using a zlib-based compression method, which may trigger the rule.
Filter/Exclusion: Filter by process.name containing powershell.exe and check the file.path for log directories like C:\Windows\Temp\logs\ or C:\inetpub\logs\.
Scenario: Legitimate Software Distribution via SCCM
Description: A software deployment via System Center Configuration Manager (SCCM) includes a zlib-compressed payload that matches the rule.
Filter/Exclusion: Check the process.name for ccmexec.exe or smsts.exe and verify the file source against known SCCM distribution paths.
Scenario: Database Backup Using Oracle Data Pump
Description: Oracle Data Pump uses zlib compression during database backups, which may trigger the Zlib_Backdoor rule.
Filter/Exclusion: Filter by `process.name