slocker | SOC Hunt Feed

Hunt Hypothesis

The slocker rule detects potential early-stage indicators of a ransomware attack by identifying suspicious file artifacts associated with known ransomware families. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate threats before encryption occurs and lateral movement ensues.

YARA Rule

rule slocker: amtrckr
{
	meta:
		family = "slocker"

	condition:
		androguard.url(/aerofigg\.org/)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints
Source Rule

False Positive Guidance

Scenario: Scheduled System Backup Using Veeam Backup & Replication
Filter/Exclusion: process.name != "vssvc.exe" || process.name != "VeeamBackup.exe"
Scenario: Windows Update or Patching via Windows Server Update Services (WSUS)
Filter/Exclusion: process.name != "wusa.exe" || process.name != "wsuapp.exe"
Scenario: Antivirus Scan Using Microsoft Defender Antivirus
Filter/Exclusion: process.name != "MsMpEng.exe" || process.name != "mpsvc.exe"
Scenario: System Maintenance Task via Task Scheduler (e.g., disk cleanup)
Filter/Exclusion: process.name != "schtasks.exe" || process.name != "taskhost.exe"
Scenario: Log File Analysis Using Splunk Forwarder
Filter/Exclusion: process.name != "splunkforwarder.exe" || process.name != "splunkd.exe"