The davivienda rule detects potential adversary behavior involving suspicious file execution or network activity that may indicate initial compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
YARA Rule
rule davivienda : mail {
strings:
$nombre = "davivienda" nocase
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled backup of the dav directory using rsync or tar.
Filter/Exclusion: Check for process names like rsync, tar, or backup in the process tree, or filter by user (e.g., root or backup user).
Scenario: A developer is using Apache HTTP Server (e.g., httpd or apache2) to host a web application that uses the dav module for WebDAV support.
Filter/Exclusion: Filter by process name httpd or apache2, or check for the presence of dav in the web server configuration files.
Scenario: A scheduled job (e.g., via cron or systemd) is cleaning up temporary files in the dav directory.
Filter/Exclusion: Filter by cron job identifiers or systemd service names, or check for file modification timestamps matching the job schedule.
Scenario: A database administrator is using MySQL or PostgreSQL to manage a database that has a table or directory named dav.
Filter/Exclusion: Filter by database process names (mysqld, postgres) or check for SQL queries involving the dav identifier.
Scenario: A DevOps engineer is deploying a containerized application using Docker or Kubernetes, and the container mounts a volume named dav.
Filter/Exclusion: Filter by container IDs or names, or check for Docker/Kubernetes-related process names (docker, kubelet, k8s).