genericSMS | SOC Hunt Feed

Hunt Hypothesis

The genericSMS rule detects potential adversary use of SMS-based communication channels to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threat activity that may evade traditional detection methods.

YARA Rule

rule genericSMS : smsFraud android
{
	meta:
	    	author = "https://twitter.com/plutec_net"
            	reference = "https://koodous.com/"
	    	sample = "3fc533d832e22dc3bc161e5190edf242f70fbc4764267ca073de5a8e3ae23272"
	    	sample2 = "3d85bdd0faea9c985749c614a0676bb05f017f6bde3651f2b819c7ac40a02d5f"

	strings:
		$a = "SHA1-Digest: +RsrTx5SNjstrnt7pNaeQAzY4kc="
		$b = "SHA1-Digest: Rt2oRts0wWTjffGlETGfFix1dfE="
		$c = "http://image.baidu.com/wisebrowse/index?tag1=%E6%98%8E%E6%98%9F&tag2=%E5%A5%B3%E6%98%8E%E6%98%9F&tag3=%E5%85%A8%E9%83%A8&pn=0&rn=10&fmpage=index&pos=magic#/channel"
		$d = "pitchfork=022D4"

	condition:
		all of them
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

False Positive Guidance

Scenario: Scheduled system maintenance or software updates using task scheduler
Filter/Exclusion: process.parent_process == "C:\Windows\System32\svchost.exe" && process.name == "schtasks.exe"
Scenario: Legitimate SMS gateway or notification service (e.g., Twilio, Nexmo) sending test messages
Filter/Exclusion: process.name == "twilio-cli.exe" || process.name == "nexmo-cli.exe" || process.name == "sms-gateway-service.exe"
Scenario: Admin performing a bulk SMS export or report generation via a management console (e.g., Microsoft Teams, Cisco Unity Connection)
Filter/Exclusion: process.name == "teams.exe" || process.name == "cucm.exe" || process.name == "smsadmin.exe"
Scenario: Automated backup or log rotation job that includes SMS-related data transfer
Filter/Exclusion: process.name == "backup.exe" || process.name == "logrotate.exe" || process.name == "smsbackup.exe"
Scenario: User manually sending a test SMS via a mobile app or SMS API (e.g., Firebase Cloud Messaging, AWS SNS)
Filter/Exclusion: process.name == "firebase-messaging.exe" || process.name == "sns-cli.exe" || process.name == "sms-test-tool.exe"