Adversaries may be exfiltrating sensitive data or configuration details through suspicious export activities, which could indicate early-stage compromise or preparation for further attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential indicators of advanced persistent threats or initial breach vectors.
YARA Rule
rule dragos_crashoverride_exporting_dlls {
meta:
description = "CRASHOVERRIDE v1 Suspicious Export"
author = "Dragos Inc"
reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
condition:
pe.exports("Crash") & pe.characteristics
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vmbackup.exe" or process.name != "VeeamBackup.exe"
Scenario: Admin performing a PowerShell-based system cleanup using PowerShell.exe
Filter/Exclusion: process.name != "PowerShell.exe" or process.name != "pwsh.exe" and process.args not containing "Cleanup"
Scenario: Regular Windows Update deployment using Group Policy or Windows Server Update Services (WSUS)
Filter/Exclusion: process.name != "wusa.exe" or process.name != "msiexec.exe" and process.args not containing "update"
Scenario: Database export using SQL Server Management Studio (SSMS) or sqlcmd.exe
Filter/Exclusion: process.name != "sqlcmd.exe" or process.name != "ssms.exe" and process.args not containing "export"
Scenario: Log file rotation or archiving using a custom script or tool like logrotate or rsync
Filter/Exclusion: process.name != "rsync.exe" or process.name != "logrotate.exe" and process.args not containing "rotate" or "archive"