The xbot007 rule detects potential command and control communication associated with a known malicious botnet, indicating possible compromise of endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before it escalates.
YARA Rule
rule xbot007 : android
{
meta:
reference = "https://github.com/maldroid/maldrolyzer/blob/master/plugins/xbot007.py"
strings:
$a = "xbot007"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude files with file.name containing veeam or backup and file.path containing C:\Program Files\Veeam\
Scenario: Administrative task of updating Windows Server Update Services (WSUS)
Filter/Exclusion: Exclude files with file.name containing wsus and file.path containing C:\Windows\SoftwareDistribution\
Scenario: Legitimate use of PowerShell for automated configuration management
Filter/Exclusion: Exclude processes with process.name containing powershell.exe and process.args containing –Command or –File
Scenario: Execution of Microsoft Endpoint Configuration Manager (MECM) deployment scripts
Filter/Exclusion: Exclude files with file.name containing ConfigMgr and file.path containing C:\Windows\System32\configmgr\
Scenario: Running SQL Server Agent Jobs for routine database maintenance
Filter/Exclusion: Exclude processes with process.name containing sqlservr.exe and process.args containing –mode or –startup