The ibanking rule detects potential credential theft or unauthorized access attempts by identifying suspicious file artifacts associated with banking-related activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that could lead to data exfiltration or lateral movement.
YARA Rule
rule ibanking: amtrckr
{
meta:
family = "ibanking"
condition:
androguard.url(/www\.irmihan\.ir/) or
androguard.url(/emberaer\.com/)
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate scheduled job for backup or data synchronization using Veeam Backup & Replication
Filter/Exclusion: Check for presence of veeam in the process name or command line, or filter by user account associated with the backup service.
Scenario: Administrative task involving Microsoft Exchange Online PowerShell for mailbox management or migration
Filter/Exclusion: Filter by user account with ExchangeAdmin or MailboxManagement privileges, or check for presence of ExchangeOnlineManagement module in the command line.
Scenario: Routine system update or patching using Windows Server Update Services (WSUS)
Filter/Exclusion: Filter by process name wuauclt.exe or check for presence of wsus in the command line, or correlate with known patching schedules.
Scenario: Use of PowerShell scripts for automated reporting or compliance checks by internal IT teams
Filter/Exclusion: Filter by user account with ITAdmin or Compliance role, or check for presence of PowerShell in the command line with known script paths.
Scenario: Legitimate use of Ansible for configuration management or deployment tasks
Filter/Exclusion: Filter by presence of ansible in the process name or command line, or check for known Ansible inventory files and playbooks.