CRASHOVERRIDE v1 Suspicious Strings and Export

Hunt Hypothesis

The detection identifies potential CRASHOVERRIDE v1 malware activity through suspicious strings and export behavior, indicating possible adversary attempts to manipulate or compromise critical systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage adversarial actions and prevent further lateral movement or data exfiltration.

YARA Rule

rule dragos_crashoverride_name_search {
	meta:
		description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
		author = "Dragos Inc"
		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
	strings:
		$s0 = "101.dll" fullword nocase wide
		$s1 = "Crash101.dll" fullword nocase wide
		$s2 = "104.dll" fullword nocase wide
		$s3 = "Crash104.dll" fullword nocase wide
		$s4 = "61850.dll" fullword nocase wide
		$s5 = "Crash61850.dll" fullword nocase wide
		$s6 = "OPCClientDemo.dll" fullword nocase wide
		$s7 = "OPC" fullword nocase wide
		$s8 = "CrashOPCClientDemo.dll" fullword nocase wide
		$s9 = "D2MultiCommService.exe" fullword nocase wide
		$s10 = "CrashD2MultiCommService.exe" fullword nocase wide
		$s11 = "61850.exe" fullword nocase wide
		$s12 = "OPC.exe" fullword nocase wide
		$s13 = "haslo.exe" fullword nocase wide
		$s14 = "haslo.dat" fullword nocase wide
	condition:
		any of ($s*) and pe.exports("Crash")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 15 string patterns in its detection logic.

References

• https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Job
  Description: A legitimate scheduled backup job (e.g., Veeam Backup & Replication, Commvault, or VSS) may execute scripts or use strings that match the rule’s suspicious patterns during normal operations.
  Filter/Exclusion: Exclude processes associated with known backup tools using process.name or process.parent.name matching the backup tool’s service name (e.g., VeeamBackupService, Commvault).

• Scenario: Windows Task Scheduler Admin Task
  Description: An admin may create a scheduled task (e.g., using schtasks.exe) to run a script or executable that includes strings matching the rule’s suspicious patterns, such as export or crash.
  Filter/Exclusion: Exclude tasks created by the Task Scheduler service using process.name or process.parent.name matching schtasks.exe or TaskScheduler.

• Scenario: Log Management Tool Configuration Export
  Description: A log management tool like Splunk, ELK Stack, or Graylog may export configuration files or logs that include the string export or similar terms during routine operations.
  Filter/Exclusion: Exclude processes associated with log management tools using process.name or process.parent.name matching the tool’s service name (e.g., splunkd, logstash, graylog-server).

• Scenario: Database Export Task
  Description: A database administrator may run a script (e.g., mysqldump, pg_dump, or sqlcmd) to export data, which may include the word export in the command line or script.
  Filter/Exclusion: Exclude processes related to database export tools using process.name or command_line