← Back to SOC feed Coverage →

Identify service hollowing and persistence setting

yara LOW Yara-Rules
communitypersistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-05-21T11:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may use service hollowing to execute malicious code under the guise of legitimate services, establishing persistence by replacing or injecting malicious payloads into service configurations. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect stealthy persistence mechanisms that evade traditional detection methods.

YARA Rule

rule dragos_crashoverride_serviceStomper {
    meta:
        description = "Identify service hollowing and persistence setting"
        author = "Dragos Inc"
		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
    strings:
        $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
        $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 2 string patterns in its detection logic.

References

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/APT_CrashOverride.yar