Detects DropBear SSH Server (not a threat but used to maintain access)

Hunt Hypothesis

The presence of DropBear SSH Server indicates potential adversary use of a non-standard SSH service to maintain persistent access within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unauthorized access mechanisms that could support long-term persistence.

YARA Rule

rule DropBear_SSH_Server
 {

    meta:
        description = "Detects DropBear SSH Server (not a threat but used to maintain access)"
        author = "Florian Roth"
        reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
        date = "2016-01-03"
        score = 50
        hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
    
    strings:
        $s1 = "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html" fullword ascii
        $s2 = "Badly formatted command= authorized_keys option" fullword ascii
        $s3 = "This Dropbear program does not support '%s' %s algorithm" fullword ascii
        $s4 = "/etc/dropbear/dropbear_dss_host_key" fullword ascii
        $s5 = "/etc/dropbear/dropbear_rsa_host_key" fullword ascii
    
    condition:
        uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/
• Source Rule

False Positive Guidance

• Scenario: System administrator is using DropBear for SSH access on a test server
  Filter/Exclusion: Check for presence of dropbear in a test environment or use a tag like environment:test to exclude from alerts.

• Scenario: Scheduled job runs DropBear to transfer files securely
  Filter/Exclusion: Filter by process name or command line arguments containing scp or rsync, or use a tag like job:file_transfer.

• Scenario: Admin is using DropBear as an alternative SSH server for legacy systems
  Filter/Exclusion: Check for presence of dropbear in a legacy system environment or use a tag like system:legacy.

• Scenario: DropBear is used as a fallback SSH server during primary SSH server downtime
  Filter/Exclusion: Filter by time window (e.g., during known maintenance windows) or use a tag like event:backup_ssh.

• Scenario: DropBear is installed as part of a containerized application for secure internal communication
  Filter/Exclusion: Check for presence of docker or container in the process context, or use a tag like container:internal.