Emdivi malware is being executed through suspicious process creation and registry modifications that bypass standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and contain advanced persistent threats before they cause significant damage.
YARA Rule
rule Emdivi_Gen2
{
meta:
description = "Detects Emdivi Malware"
author = "Florian Roth @Cyber0ps"
reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
date = "2015-08-20"
super_rule = 1
score = 80
hash1 = "9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1"
hash2 = "a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012"
hash3 = "9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4"
strings:
$s1 = "%TEMP%\\IELogs\\" fullword ascii
$s2 = "MSPUB.EXE" fullword ascii
$s3 = "%temp%\\" fullword ascii
$s4 = "\\NOTEPAD.EXE" fullword ascii
$s5 = "%4d-%02d-%02d %02d:%02d:%02d " fullword ascii
$s6 = "INTERNET_OPEN_TYPE_PRECONFIG" fullword ascii
$s7 = "%4d%02d%02d%02d%02d%02d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1300KB and 6 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform routine system cleanup or configuration changes.
Filter/Exclusion: Exclude processes initiated by the PowerShell command-line interface (CLI) or scripts with known administrative tasks (e.g., Invoke-Command, Remove-Item, Stop-Process).
Scenario: A scheduled job runs to update or patch software, which includes executing scripts or binaries that match the Emdivi signature.
Filter/Exclusion: Exclude processes associated with Task Scheduler or Windows Update tasks, using the TaskName or CommandLine fields in the event log.
Scenario: A third-party tool (e.g., Microsoft System Center Configuration Manager (SCCM)) is performing inventory or configuration management tasks that involve executing scripts or binaries.
Filter/Exclusion: Exclude processes initiated by SCCM or similar tools using the ProcessName or CommandLine fields.
Scenario: A remote management tool (e.g., Microsoft Endpoint Manager (MEM)) is deploying configuration profiles or software updates.
Filter/Exclusion: Exclude processes associated with MEM or Intune using the ProcessName or User fields, such as MicrosoftIntuneManagementExtension.
Scenario: A backup or restore operation (e.g., using Veeam, Commvault, or Acronis) is executing scripts or binaries during the restore process.
Filter/Exclusion: Exclude processes related to backup/restore tools using the ProcessName or CommandLine fields, or by checking the ParentProcessName for known backup services.