fake facebook

Hunt Hypothesis

The detection rule identifies potential phishing attempts using a fake Facebook login page, which adversaries may use to steal user credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage phishing campaigns before they lead to credential compromise.

YARA Rule

rule fake_facebook: fake android
{
  meta:
		  author = "https://twitter.com/Diviei"
		  reference = "https://koodous.com/"
	condition:
		androguard.app_name("Facebook")
		and not androguard.certificate.sha1("A0E980408030C669BCEB38FEFEC9527BE6C3DDD0")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: System Update or Patching Process
  Description: A legitimate system update or patching job may include files with names similar to “fake_facebook” due to naming conventions or temporary files.
  Filter/Exclusion: Exclude files with the file_name containing “update”, “patch”, or “install” in the filename or path.

• Scenario: Scheduled Backup Job
  Description: A backup process may generate temporary files or use a naming pattern that resembles the “fake_facebook” YARA rule.
  Filter/Exclusion: Exclude files created within the backup directory (e.g., /backup/) or with timestamps matching the backup schedule.

• Scenario: Admin Task - User Account Creation
  Description: An administrator may create a user account with a username or script that includes “fake_facebook” as part of a test or placeholder.
  Filter/Exclusion: Exclude processes initiated by the root or admin user, or filter by process_owner matching known admin accounts.

• Scenario: Log File Parsing or Monitoring Tool
  Description: A log parsing tool like logrotate or rsyslog may generate files with names that match the “fake_facebook” pattern during log rotation.
  Filter/Exclusion: Exclude files located in log directories (e.g., /var/log/) or with file extensions like .log, .gz, or .rotate.

• Scenario: Development or Testing Environment
  Description: Developers may use placeholder names like “fake_facebook” in test environments or mock data files.
  Filter/Exclusion: Exclude files in development directories (e.g., /dev/, /test/, /workspace/) or those with a file_type indicating test data.