The detection identifies potential trojan activity associated with the http.exe process, which is linked to a known APT group, indicating possible unauthorized network communication and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity before significant damage occurs.
YARA Rule
rule Mal_http_EXE : Trojan {
meta:
description = "Detects trojan from APT report named http.exe"
author = "Florian Roth"
reference = "https://goo.gl/13Wgy1"
date = "2016-05-25"
score = 80
hash1 = "ad191d1d18841f0c5e48a5a1c9072709e2dd6359a6f6d427e0de59cfcd1d9666"
strings:
$x1 = "Content-Disposition: form-data; name=\"file1\"; filename=\"%s\"" fullword ascii
$x2 = "%ALLUSERSPROFILE%\\Accessories\\wordpade.exe" fullword ascii
$x3 = "\\dumps.dat" fullword ascii
$x4 = "\\wordpade.exe" fullword ascii
$x5 = "\\%s|%s|4|%d|%4d-%02d-%02d %02d:%02d:%02d|" fullword ascii
$x6 = "\\%s|%s|5|%d|%4d-%02d-%02d %02d:%02d:%02d|" fullword ascii
$x7 = "cKaNBh9fnmXgJcSBxx5nFS+8s7abcQ==" fullword ascii
$x8 = "cKaNBhFLn1nXMcCR0RlbMQ==" fullword ascii /* base64: pKY1[1 */
$s1 = "SELECT * FROM moz_logins;" fullword ascii
$s2 = "makescr.dat" fullword ascii
$s3 = "%s\\Mozilla\\Firefox\\profiles.ini" fullword ascii
$s4 = "?moz-proxy://" fullword ascii
$s5 = "[%s-%s] Title: %s" fullword ascii
$s6 = "Cforeign key mismatch - \"%w\" referencing \"%w\"" fullword ascii
$s7 = "Windows 95 SR2" fullword ascii
$s8 = "\\|%s|0|0|" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 16 string patterns in its detection logic.
Scenario: Legitimate system process running http.exe
Description: The http.exe process is a legitimate part of a web server or application server (e.g., IIS, Apache, or a custom web service).
Filter/Exclusion: Check the process path and parent process. Exclude processes where the full path contains known legitimate locations like C:\Windows\System32\ or C:\inetpub\ and parent process is a known web server service (e.g., w3svc or httpd.exe).
Scenario: Scheduled system maintenance task using http.exe
Description: A scheduled task or maintenance script (e.g., schtasks.exe) may use http.exe to perform remote management or software updates.
Filter/Exclusion: Filter by process command line arguments. Exclude instances where the command line includes known maintenance tools or URLs associated with internal IT management systems (e.g., https://internal-update-server/).
Scenario: Admin using http.exe for manual testing or debugging
Description: A system administrator may manually run http.exe (e.g., from a tool like curl or wget) to test network connectivity or API calls.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges and where the command line includes known testing URLs or internal endpoints (e.g., https://api.internal.dev/health).
Scenario: Antivirus or endpoint protection tool using http.exe
Description: Some endpoint security tools may use http.exe for communication with their cloud-based threat intelligence services.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., mpsvc.exe from Microsoft Defender, avgcc.exe from Avast, or bitdefender.exe). Also check for known security tool directories