Files with the specified MD5 hash are likely in-memory artifacts without persistent storage, indicating potential evasion of traditional file-based detection mechanisms. SOC teams should proactively hunt for such in-memory artifacts in Azure Sentinel to identify potential adversarial activity that avoids standard persistence and execution detection methods.
YARA Rule
rule apt_c16_win_memory_pcclient
{
meta:
author = "@dragonthreatlab"
md5 = "ec532bbe9d0882d403473102e9724557"
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
date = "2015/01/11"
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
strings:
$str1 = "Kill You" ascii
$str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
$str3 = "%4.2f KB" ascii
$encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A legitimate memory dump file is generated by a system diagnostic tool such as Windows Performance Analyzer (WPA) or ProcDump during troubleshooting.
Filter/Exclusion: Exclude files created by known diagnostic tools using process name or command line arguments (e.g., ProcDump, wpa.exe).
Scenario: A scheduled system cleanup task, such as Disk Cleanup or CCleaner, temporarily loads files into memory for processing.
Filter/Exclusion: Exclude files associated with system maintenance tasks by checking the process name or parent process (e.g., cleanmgr.exe, ccleaner.exe).
Scenario: A legitimate admin task, such as PowerShell script execution or Task Scheduler job, loads a script or configuration file into memory for processing.
Filter/Exclusion: Exclude files with known PowerShell or script execution patterns using command line arguments or process name (e.g., powershell.exe, -Command).
Scenario: A security tool such as Windows Defender or Malwarebytes temporarily loads files into memory during a scan or analysis.
Filter/Exclusion: Exclude files associated with security software by checking the process name or parent process (e.g., MsMpEng.exe, mbam.exe).
Scenario: A legitimate application like SQL Server or IIS loads configuration or data files into memory during normal operation.
Filter/Exclusion: Exclude files related to known enterprise applications by checking the process name or file path (e.g., sqlservr.exe, iisexpress.exe).