The rule detects potential adversary behavior involving the execution of a suspicious Python script named cromosome.py, which may be used for initial compromise or command and control activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to persistent access or data exfiltration.
YARA Rule
rule towelhacking_cromosome
{
meta:
author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "From cromosome.py"
strings:
$cromosome_a = "res/xml/device_admin_data.xml]"
$cromosome_b = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACABAMAAAAxEHz4AAAAGFBMVEVMaXGUwUWTwEaTwEaTwEaTwEaVwUWTwEalNfqIAAAAB3RSTlMALozOuetYmPN8xgAAAbFJREFUeF7t2E9L+zAcx/FP1i3n7PfHXauivW7K3HWAY1dFoNci2l61Lvs8fUOxZYW22RdBBub1AN4kX7KQDqcvCILgDC0aUlcGhzaQ+j/HAb2HlC5buTXEEoMGlgZikzkAledTAKM95HSJPxs6T9eYrSGHZMMvuyXkoLZs2AxyCQ98GEi9sqWEkGYb1/INMGUtFW9iRDLWdWGhtuQCEgW5a+ZIgwn5AQFVjQ0zViwQkYwFgYjVCorDFfBdtgMyU80MkFC2h5SOXfGLXbIqyg9B2xzHGrODZAgzdioFM+y0E5zjThbHurzthl9Bb24M8HLfzQCXT+cYsiX3QMJuBn9Jazz3CLOBwIrko+8IzvsDmk7pO4Lv/YExPT/rxBOI6NjTCIRACIRACITA2BeY0XnoD4x8D5WITtwfUKnnraVScof+AArfk/cfbTwU0CveYdDUYCgANYXPYKBx+oEQKL772I7YaS/+cG+zMY6m8vyFDnOnqpV5nkFkVI+tvmWAXxkIgRDQdGxzO7xBSqX1B9qEzhpiBcmHei3WQEyn9d9fr+QCcji7yFDB8zV+QhAEQfAJcs5K2TAQqxAAAAAASUVORK5CYII="
$cromosome_c = "device_admin_desc"
$cromosome_d = "PillagedActivity"
$cromosome_e = "EpigraphyService"
condition:
($cromosome_a and $cromosome_b) or ($cromosome_c and $cromosome_d and $cromosome_e)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using Ansible to deploy configuration changes to multiple servers, and the script cromosome.py is being executed as part of the playbook.
Filter/Exclusion: Check the ansible_playbook field or include a process.parent_process filter for known Ansible processes.
Scenario: A scheduled job (e.g., via cron or systemd) runs cromosome.py to perform routine data processing or log rotation.
Filter/Exclusion: Use a filter on process.parent_process to identify known cron or systemd processes, or check the event.type for scheduled tasks.
Scenario: A developer is using Python virtual environments and runs cromosome.py as part of a test or development workflow.
Filter/Exclusion: Filter by process.cwd to check if the execution path is within a known development directory or virtualenv location.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) executes cromosome.py as part of a build or deployment step.
Filter/Exclusion: Include a filter for process.parent_process matching known CI/CD agents or check the event.source for pipeline-related metadata.
Scenario: A database backup script (e.g., using mysqldump or pg_dump) invokes cromosome.py to process backup files or generate reports.
Filter/Exclusion: Use a filter on process.parent_process to identify backup tools or check the event.description for backup-related activity.