The Adware detection rule identifies potential adware activity by monitoring unusual network traffic patterns that may indicate unauthorized data exfiltration or persistent communication with malicious servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adware infections before they escalate into more severe threats.
YARA Rule
rule adware : ads android
{
meta:
author = "Fernando Denis Ramirez https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "Adware"
sample = "5a331231f997decca388ba2d73b7dec1554e966a0795b0cb8447a336bdafd71b"
strings:
$string_a = "banner_layout"
$string_b = "activity_adpath_sms"
$string_c = "adpath_title_one"
$string_d = "7291-2ec9362bd699d0cd6f53a5ca6cd"
condition:
all of ($string_*)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled system cleanup using CCleaner
Filter/Exclusion: process.name != "ccleaner.exe" or process.name != "ccleaner64.exe"
Scenario: Running Windows Update or Group Policy refresh
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "gupdate.exe"
Scenario: Executing PowerShell scripts for routine maintenance or configuration
Filter/Exclusion: process.name != "powershell.exe" or process.name != "powershell_ise.exe"
Scenario: Running Microsoft Endpoint Protection (MSPU) or Windows Defender scheduled scans
Filter/Exclusion: process.name != "mpsvc.exe" or process.name != "msseces.exe"
Scenario: Performing backup tasks using Veeam Backup & Replication or Acronis True Image
Filter/Exclusion: process.name != "veeam.exe" or process.name != "acronis.exe"