fake market

Hunt Hypothesis

The fake market rule detects potential adversary behavior involving the creation of fake market data to manipulate or mislead users within an environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could compromise data integrity or operational decisions.

YARA Rule

rule fake_market: fake android
{
  meta:
		author = "https://twitter.com/plutec_net"
		reference = "https://koodous.com/"

	condition:
		androguard.package_name("com.minitorrent.kimill") 
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using Veeam Backup & Replication
  Description: A legitimate scheduled backup job using Veeam may generate files with names similar to those associated with the fake_market rule.
  Filter/Exclusion: Check for the presence of veeam or backup in the file path or process name, and exclude files created during scheduled backup windows.

• Scenario: Windows Task Scheduler Running Maintenance Scripts
  Description: A system maintenance script, such as one used by Windows Server for disk cleanup or log rotation, may create temporary files that match the rule’s signature.
  Filter/Exclusion: Filter out files with extensions like .tmp, .log, or .bak, or check for the presence of task scheduler or schtasks.exe in the process tree.

• Scenario: Docker Container Runtime Files
  Description: Docker containers may generate temporary files or logs that could trigger the fake_market rule due to similar naming patterns.
  Filter/Exclusion: Exclude files located within Docker directories such as /var/lib/docker/ or check for the presence of docker or container in the file path.

• Scenario: Microsoft Exchange Database Maintenance
  Description: Exchange databases may generate temporary files during maintenance tasks like defragmentation or ESEUTIL operations.
  Filter/Exclusion: Filter files with extensions like .edb, .log, or .chk, or check for the presence of Exchange or MSExchange in the process or file path.

• Scenario: Log File Rotation by Logrotate Utility
  Description: The logrotate utility on Linux systems may create rotated log files that match the pattern of the fake_market rule.
  Filter/Exclusion: Exclude files with .gz, .log, or .rotate extensions, or check for