The rule detects potential adversary behavior involving the exfiltration of sensitive data through unauthorized file transfers between suspiciously named files in a cloud environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate data leakage risks early.
YARA Rule
rule CheshireCat_Gen2
{
meta:
description = "Auto-generated rule - from files 32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a, 63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
author = "Florian Roth"
reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/"
date = "2015-08-08"
super_rule = 1
score = 70
hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
strings:
$a1 = "Interface\\%s\\info" fullword ascii
$a2 = "Interface\\%s\\info\\%s" fullword ascii
$a3 = "CLSID\\%s\\info\\%s" fullword ascii
$a4 = "CLSID\\%s\\info" fullword ascii
$b1 = "Windows Shell Icon Handler" fullword wide
$b2 = "Microsoft Shell Icon Handler" fullword wide
$s1 = "\\StringFileInfo\\%s\\FileVersion" fullword ascii
$s2 = "CLSID\\%s\\AuxCLSID" fullword ascii
$s3 = "lnkfile\\shellex\\IconHandler" fullword ascii
$s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii
$s5 = "%sMutex" fullword ascii
$s6 = "\\ShellIconCache" fullword ascii
$s7 = "+6Service Pack " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*)
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a software update via a scheduled task.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes -File with a path to a known update script or deployment tool.
Scenario: A Windows Task Scheduler job is configured to run a legitimate batch file that temporarily creates and deletes files in the temporary directory.
Filter/Exclusion: Exclude events where the process name is schtasks.exe and the file path contains C:\Windows\Temp\ or a known legitimate script location.
Scenario: A Windows Event Log cleanup tool is running a script that generates temporary files in the system log directory.
Filter/Exclusion: Exclude events where the process name is eventvwr.exe or logclean.exe and the file path includes C:\Windows\System32\ or a known log management tool directory.
Scenario: A Microsoft Defender ATP scan is triggered, which temporarily creates and modifies files in the quarantine directory.
Filter/Exclusion: Exclude events where the process name is MsMpEng.exe or MsMpCmdRun.exe and the file path includes C:\ProgramData\Microsoft\Windows Defender\ or a known quarantine location.
Scenario: A System Center Configuration Manager (SCCM) client is synchronizing policies and temporarily writes files to the local cache directory.
Filter/Exclusion: Exclude events where the process name is CCMExec.exe and the file path includes C:\Windows\CCMCache\ or a known SCCM cache directory.