The detection rule identifies potential malicious activity associated with the Anthem Hack Deep Panda group, specifically the use of the ScanLine sl-txt-packed technique, which may indicate the presence of a sophisticated payload delivery mechanism. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage adversarial activity and prevent potential data exfiltration or system compromise.
YARA Rule
rule Anthem_DeepPanda_sl_txt_packed
{
meta:
description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
author = "Florian Roth"
date = "2015/02/08"
hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
strings:
$s0 = "Command line port scanner" fullword wide
$s1 = "sl.exe" fullword wide
$s2 = "CPports.txt" fullword ascii
$s3 = ",GET / HTTP/.}" fullword ascii
$s4 = "Foundstone Inc." fullword wide
$s9 = " 2002 Foundstone Inc." fullword wide
$s15 = ", Inc. 2002" fullword ascii
$s20 = "ICMP Time" fullword ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule due to the presence of similar command patterns.
Filter/Exclusion: Check for rsync in the command line or use a filter like process.name = rsync to exclude backup activities.
Scenario: Admin Task Using tar for Archive Management
Description: System administrators may use tar to create or extract archives, which could resemble malicious activity.
Filter/Exclusion: Filter out processes involving tar with process.name = tar or check for known admin tools in the command line.
Scenario: Log File Rotation Using logrotate
Description: The logrotate utility is commonly used to manage log files and may generate similar command-line patterns.
Filter/Exclusion: Use a filter like process.name = logrotate or check for log rotation-related command-line arguments.
Scenario: Software Update Using apt or yum
Description: Package managers like apt or yum may execute commands that look similar to the detection logic, especially during updates.
Filter/Exclusion: Filter for process.name = apt or process.name = yum to exclude legitimate package management activities.
Scenario: Scripted Job Using bash or sh for Automation
Description: Automated scripts or cron jobs using bash or sh may contain similar command structures that trigger the rule.
Filter/Exclusion: Use a filter like process.name = bash or process.name = sh and check for known legitimate script paths or user IDs.