Adversaries may use code features to obfuscate or execute malicious payloads, leveraging Azure’s code analysis capabilities for persistence or evasion. SOC teams should proactively hunt for this behavior to identify potential code-based attacks that evade traditional detection methods.
YARA Rule
rule APT3102Code
{
meta:
description = "3102 code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a new application that includes a 3102 code feature.
Filter/Exclusion: Check for ProcessName == "powershell.exe" and CommandLine containing "Deploy-Application.ps1" or similar deployment scripts.
Scenario: A scheduled job runs nightly to update third-party software that includes 3102 code features.
Filter/Exclusion: Filter by ProcessName == "schtasks.exe" or CommandLine containing "schedule.exe" and check for known update job names.
Scenario: An IT admin is performing a system cleanup using Windows Task Scheduler that temporarily triggers 3102 code features.
Filter/Exclusion: Exclude processes associated with Task Scheduler by checking ProcessName == "schtasks.exe" or CommandLine containing "schtasks.exe /run".
Scenario: A software update from a vendor (e.g., Microsoft, VMware) includes 3102 code features as part of a patch or hotfix.
Filter/Exclusion: Filter by ProcessName == "msiexec.exe" or CommandLine containing "patch.msi" or vendor-specific update identifiers.
Scenario: A development team is testing a new feature that uses 3102 code in a controlled environment, such as a Docker container or Virtual Machine.
Filter/Exclusion: Exclude processes running in virtualized environments by checking for ProcessName like "docker.exe" or "vmtoolsd.exe", or use IP ranges associated with internal testing networks.