The ‘coudw’ rule detects potential indicators of compromise associated with the coudw malware family, which may be used for initial access or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
YARA Rule
rule coudw: amtrckr
{
meta:
family = "coudw"
condition:
androguard.url(/s\.cloudsota\.com/)
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate system update or patching process using coudw-related tools
Filter/Exclusion: Exclude processes initiated by known patch management tools like Microsoft Update or WSUS. Use a filter such as:
process.name != "wusa.exe" OR process.name != "msiexec.exe" OR process.name != "setup.exe"Scenario: Scheduled backup or data synchronization job using a tool with similar artifact signatures
Filter/Exclusion: Exclude processes associated with backup tools like Veeam, Commvault, or Veritas NetBackup. Use a filter such as:
process.name != "veeam.exe" OR process.name != "netbackup.exe" OR process.name != "vagent.exe"Scenario: Admin task involving file integrity monitoring or endpoint protection software
Filter/Exclusion: Exclude processes from endpoint protection tools like Microsoft Defender, CrowdStrike Falcon, or Kaspersky Endpoint Security. Use a filter such as:
process.name != "MsMpEng.exe" OR process.name != "falcon.exe" OR process.name != "kavsvc.exe"Scenario: Network discovery or inventory tool scanning internal systems
Filter/Exclusion: Exclude processes from network discovery tools like SolarWinds IP Address Manager or Microsoft Network Discovery. Use a filter such as:
process.name != "ipam.exe" OR process.name != "nmap.exe" OR process.name != "netsh.exe"Scenario: Legitimate script or automation job using a tool with similar behavior
Filter/Exclusion: Exclude processes initiated by scheduled tasks or automation tools like PowerShell, Task Scheduler, or Ansible