lenovo reaper

Hunt Hypothesis

The lenovo reaper rule detects potential malicious activity associated with the Lenovo Reaper tool, which may indicate adversary attempts to exploit vulnerabilities in Lenovo devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to broader network compromise.

YARA Rule

rule lenovo_reaper: amtrckr
{
	meta:
		family = "lenovo_reaper"

	condition:
		androguard.url(/uefsr\.lenovomm\.com/)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Maintenance via Lenovo Vantage
  Description: A system administrator uses Lenovo Vantage to perform routine system maintenance, which may trigger the detection due to similar file patterns.
  Filter/Exclusion: Check for the presence of Lenovo Vantage in the process name or command line, or filter by process.name = "LenovoVantage.exe".

• Scenario: Scheduled Backup Job Using Lenovo Backup Tools
  Description: A scheduled backup job initiated by Lenovo’s backup utility (e.g., Lenovo Backup & Recovery) may generate files or processes that match the YARA signature.
  Filter/Exclusion: Filter by process.name = "LenovoBackup.exe" or check for the presence of Lenovo Backup in the process name.

• Scenario: Admin Task to Remove Malicious Files
  Description: An administrator manually deletes malicious files from a Lenovo system, which may leave behind artifacts that trigger the rule.
  Filter/Exclusion: Filter by process.name = "cmd.exe" or process.name = "powershell.exe" with a command line containing del or Remove-Item, and check for the presence of known malicious hashes.

• Scenario: Legitimate Lenovo Driver Installation
  Description: A user installs a legitimate Lenovo driver package, which may include files that match the YARA signature.
  Filter/Exclusion: Check for the presence of Lenovo Driver or Lenovo Driver Installation in the process name or command line, or filter by process.name = "setupldr.exe" or similar installation tools.

• Scenario: False Positive from Third-Party Software with Similar Signatures
  Description: A third-party tool (e.g., some system cleanup or optimization software) may have a file signature that matches the YARA rule for Lenovo Reaper.
  **Filter/Ex