Adversaries may use static analysis to identify potential vulnerabilities in code that could be exploited for initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage threat activity that may lead to persistent access or data exfiltration.
YARA Rule
rule towelhacking_analysis
{
meta:
author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "From static analysis"
sample = "258c34428e214d2a49d3de776db98d26e0bd0abc452249c8be8cdbcb10218e8c"
strings:
$analysis_a = "LoganberryApplication"
$analysis_b = "attachBaseContext"
$analysis_c = "Obstetric"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with veeambackup.exe or use a process name filter for Veeam Backup & Replication.
Scenario: Automated software update via Chocolatey package manager
Filter/Exclusion: Exclude processes with the command line containing choco install or use a process name filter for choco.exe.
Scenario: Static code analysis performed by SonarQube during CI/CD pipeline
Filter/Exclusion: Exclude processes with the command line containing sonar-scanner or use a process name filter for sonar-scanner.exe.
Scenario: Log file analysis using ELK Stack (Logstash)
Filter/Exclusion: Exclude processes with the command line containing logstash or use a process name filter for logstash.jar.
Scenario: Security tool configuration using Microsoft Defender ATP
Filter/Exclusion: Exclude processes with the command line containing MpCmdRun.exe or use a process name filter for MpCmdRun.exe.