CRASHOVERRIDE Malware Hashes

Hunt Hypothesis

The detection identifies potential CRASHOVERRIDE malware activity by matching known malicious hash values, indicating possible compromise of critical infrastructure systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threat campaigns targeting industrial control systems.

YARA Rule

rule dragos_crashoverride_hashes {
	meta:
		description = "CRASHOVERRIDE Malware Hashes"
		author = "Dragos Inc"
		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
    condition:
        filesize < 1MB and
        hash.sha1(0, filesize) == "f6c21f8189ced6ae150f9ef2e82a3a57843b587d" or  
        hash.sha1(0, filesize) == "cccce62996d578b984984426a024d9b250237533" or 
        hash.sha1(0, filesize) == "8e39eca1e48240c01ee570631ae8f0c9a9637187" or 
        hash.sha1(0, filesize) == "2cb8230281b86fa944d3043ae906016c8b5984d9" or 
        hash.sha1(0, filesize) == "79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a" or  
        hash.sha1(0, filesize) == "94488f214b165512d2fc0438a581f5c9e3bd4d4c" or
        hash.sha1(0, filesize) == "5a5fafbc3fec8d36fd57b075ebf34119ba3bff04" or
        hash.sha1(0, filesize) == "b92149f046f00bb69de329b8457d32c24726ee00" or
        hash.sha1(0, filesize) == "b335163e6eb854df5e08e85026b2c3518891eda8"
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that hashes a known system file (e.g., C:\Windows\System32\svchost.exe) as part of a maintenance or integrity check.
  Filter/Exclusion: Exclude hashes from files in the Windows System directory (C:\Windows\*) or use a whitelist of known system hashes.

• Scenario: Antivirus Scan Using VirusTotal
  Description: An endpoint protection tool uploads a file hash to VirusTotal for malware analysis, triggering the rule due to the hash being in the CRASHOVERRIDE list.
  Filter/Exclusion: Exclude hashes from files uploaded to external threat intelligence platforms like VirusTotal or Microsoft Defender ATP.

• Scenario: Software Update Deployment
  Description: A patch management tool (e.g., Microsoft SCCM, Ansible) deploys a software update that includes a file with a hash matching a CRASHOVERRIDE hash.
  Filter/Exclusion: Exclude hashes from files in known update directories (e.g., C:\Windows\Temp\*, C:\Program Files\*) or use a whitelist of approved update hashes.

• Scenario: Admin Task Using PowerShell for File Integrity Monitoring
  Description: An admin uses PowerShell to hash files for integrity monitoring, and one of the files matches a CRASHOVERRIDE hash.
  Filter/Exclusion: Exclude hashes from files accessed by admin tools like PowerShell, or use a whitelist of files used in integrity monitoring tasks.

• Scenario: Log File Analysis with Splunk
  Description: A log analysis tool (e.g., Splunk) processes logs and generates a hash of a log file, which coincidentally matches a CRASHOVERRIDE hash.
  Filter/Exclusion: Exclude hashes from log files or files with extensions like .log, .txt, or