Adversaries may use suspicious launch actions to execute malicious payloads or maintain persistence within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise attempts that evade traditional detection methods.
YARA Rule
rule suspicious_launch_action : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$attrib0 = /\/Launch/
$attrib1 = /\/URL /
$attrib2 = /\/Action/
$attrib3 = /\/OpenAction/
$attrib4 = /\/F /
condition:
$magic in (0..1024) and 3 of ($attrib*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled system maintenance using task scheduler to run DISM or sfc /scannow
Filter/Exclusion: process.name == "sfc.exe" || process.name == "dism.exe"
Scenario: Admin performing a clean install of a software package using msiexec
Filter/Exclusion: process.name == "msiexec.exe" || process.name == "setup.exe"
Scenario: IT department deploying updates via Group Policy using gpupdate
Filter/Exclusion: process.name == "gpupdate.exe" || process.name == "gpmc.msc"
Scenario: User launching a legitimate script or batch file for system diagnostics
Filter/Exclusion: process.name == "cmd.exe" && process.args contains "script.bat" || process.args contains "diagnostic"
Scenario: Database administrator running a backup job using sqlcmd or sqlbackup
Filter/Exclusion: process.name == "sqlcmd.exe" || process.name == "sqlbackup.exe"