Adversaries may use custom configuration files to manipulate or control compromised systems, leveraging the CRASHOVERRIDE protocol to execute malicious commands. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities early and prevent further compromise.
YARA Rule
rule dragos_crashoverride_configReader {
meta:
description = "CRASHOVERRIDE v1 Config File Parsing"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
strings:
$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System update or patching process using WSUS (Windows Server Update Services)
Filter/Exclusion: Check for event_id=10000 (WSUS-related events) or filter by process_name=wsusutil.exe or process_name=setup.exe
Scenario: Scheduled job for Microsoft Configuration Manager (SCCM) configuration file synchronization
Filter/Exclusion: Filter by process_name=ccmexec.exe or process_name=cmstp.exe and check for event_id=1000 or event_id=1001
Scenario: PowerShell script run by an admin for routine config file parsing or auditing
Filter/Exclusion: Filter by process_name=powershell.exe and check for command_line containing audit or parse keywords
Scenario: Log management tool like Splunk or ELK Stack parsing config files for log normalization
Filter/Exclusion: Filter by process_name=splunkd.exe or process_name=java.exe (for ELK) and check for command_line containing log or normalize
Scenario: Backup job using Veeam Backup & Replication or Commvault that processes config files during backup
Filter/Exclusion: Filter by process_name=veeam.exe or process_name=commvault.exe and check for command_line containing backup or snapshot