The hypothesis is that the detected sample is associated with the Dubnium Report, indicating potential adversarial activity linked to known malicious behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential threats early, especially given the low severity but possible persistence and lateral movement capabilities.
YARA Rule
rule Dubnium_Sample_SSHOpenSSL
{
meta:
description = "Detects sample mentioned in the Dubnium Report"
author = "Florian Roth"
reference = "https://goo.gl/AW9Cuu"
date = "2016-06-10"
hash1 = "6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b"
hash2 = "feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8"
hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf"
hash4 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f"
hash5 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9"
hash6 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b"
strings:
$s1 = "sshkeypairgen.exe" fullword wide
$s2 = "OpenSSL: FATAL" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 9000KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Check for the presence of veeam in the process name or command line arguments.
Rationale: Veeam backups may include files or paths that resemble those in the Dubnium Report, but are part of legitimate backup operations.
Scenario: Windows Update installation via Group Policy
Filter/Exclusion: Filter out processes related to wuauclt.exe or msiexec.exe associated with Windows Update.
Rationale: Windows Update may temporarily create or modify files that match the criteria in the Dubnium Report.
Scenario: Log file parsing by Splunk
Filter/Exclusion: Exclude processes with splunkd.exe or splunkforwarder.exe in the process tree.
Rationale: Splunk may process log files that contain strings or patterns similar to those in the Dubnium Report.
Scenario: Database maintenance task using SQL Server Agent
Filter/Exclusion: Filter out tasks initiated by sqlservr.exe or sqlagent.exe with known maintenance job names.
Rationale: SQL Server maintenance jobs may involve file operations that match the Dubnium Report’s criteria.
Scenario: Antivirus scan using Bitdefender
Filter/Exclusion: Exclude processes with bdagent.exe or bdscan.exe associated with Bitdefender scans.
Rationale: Antivirus tools may scan files that match the Dubnium Report, leading to false positives during routine scans.