The ‘blackhole_basic’ rule detects potential malicious artifacts associated with known blackhole networks, which are often used by adversaries to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule blackhole_basic : EK
{
strings:
$a = /\.php\?.*?\:[a-zA-Z0-9\:]{6,}?\&.*?\&/
condition:
$a
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System Backup Job Execution
Description: A legitimate backup job (e.g., Veeam, Acronis, or Windows Backup) is running and generating files that match the YARA rule.
Filter/Exclusion: Check for file paths containing backup, snapshot, or vmbackup in the file name or path. Use a filter like:
file_name contains "backup" or file_name contains "snapshot"Scenario: Scheduled Administrative Task
Description: A scheduled task (e.g., Task Scheduler or cron job) is performing routine maintenance and generating files that match the rule.
Filter/Exclusion: Filter by process name or user context, such as:
process_name == "schtasks.exe" or user == "SYSTEM"Scenario: Log File Generation
Description: A legitimate application (e.g., Splunk, ELK Stack, or Windows Event Log) is writing log files that match the YARA rule.
Filter/Exclusion: Check for file extensions like .log, .txt, or .csv, and filter by file path:
file_extension == ".log" or file_path contains "logs"Scenario: Virtual Machine Snapshot Creation
Description: A virtualization platform (e.g., VMware, Hyper-V) is creating a VM snapshot, which generates temporary files that match the rule.
Filter/Exclusion: Filter by file path containing vmware-snapshot, vhdx, or vmdk, or check for process names like vmrun.exe or vmtoolsd.exe:
file_path contains "vmware-snapshot" or process_name == "vmrun.exe"
``