The rule detects potential adversary behavior involving the creation or modification of suspicious files in the environment, which may indicate unauthorized data exfiltration or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to data breaches or system compromise.
YARA Rule
rule BlackEnergy_Driver_AMDIDE
{
meta:
description = "Auto-generated rule - from files 32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614, 3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2, 90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c, 97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
author = "Florian Roth"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"
super_rule = 1
hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614"
hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2"
hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c"
hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc"
hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988"
hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68"
strings:
$s1 = " AMD IDE driver" fullword wide
$s2 = "SessionEnv" fullword wide
$s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide
$s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., Task Scheduler or cron job) runs a script that matches the rule’s file or process criteria.
Filter/Exclusion: Exclude processes associated with Task Scheduler (e.g., schtasks.exe) or use a filter like process.name != "schtasks.exe".
Scenario: Admin Performing File Integrity Check
Description: An administrator uses a tool like Tripwire or OSSEC to check file integrity, which may trigger the rule due to file changes.
Filter/Exclusion: Exclude processes related to integrity check tools (e.g., tripwire, ossec), or use a filter like process.name != "tripwire".
Scenario: Backup Job Execution
Description: A backup tool like Veeam, Commvault, or rsync performs a backup operation that temporarily modifies or accesses files matching the rule.
Filter/Exclusion: Exclude processes associated with backup tools (e.g., veeam, rsync, commvault) or use a filter like process.name != "rsync".
Scenario: Software Update Deployment
Description: A patching tool like Microsoft Update, WSUS, or Ansible deploys updates, which may trigger the rule due to file modifications.
Filter/Exclusion: Exclude processes related to update tools (e.g., wusa.exe, ansible, wsus) or use a filter like process.name != "wusa.exe".
Scenario: Log File Rotation or Archiving
Description: A log management tool like Logrotate or Splunk rotates or archives log files, which may trigger the rule due to file access or modification.