Ham backdoor

Hunt Hypothesis

The Ham backdoor detection identifies potential adversary persistence mechanisms by analyzing suspicious file artifacts that may indicate a low-privilege backdoor. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that evade traditional detection methods.

YARA Rule

rule Ham_backdoor
{
meta:
        author = "Cylance Spear Team"
        reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html"
strings:
        $a = {8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3}
        $b = {8D 0C 1F 8B 5D F8 8A 04 08 32 04 1E 46 8B 5D 10 88 01 8B 45 08 3B F2}
condition:
        $a or $b
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that matches the YARA signature due to similar file naming or content.
  Filter/Exclusion: Exclude files with a .ps1 or .bat extension that are part of a known maintenance schedule (e.g., C:\Windows\Tasks\maintenance_task.ps1).

• Scenario: Admin PowerShell Script for Patching
  Description: An admin uses a PowerShell script to apply patches, which contains code similar to the Ham backdoor signature.
  Filter/Exclusion: Exclude files executed via PowerShell.exe with a known patching script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\patch_script.ps1).

• Scenario: Log File Parsing with Regular Expressions
  Description: A log parsing tool uses regular expressions that inadvertently match the YARA rule due to similar string patterns.
  Filter/Exclusion: Exclude files with a .log extension or containing the string log_parser in the file path.

• Scenario: Backup Job Executing a Script
  Description: A backup job runs a script that includes a string matching the YARA rule, such as a temporary file used for data extraction.
  Filter/Exclusion: Exclude files created by the backup service (e.g., C:\Backup\temp_script.bat) or with a .bak extension.

• Scenario: Third-Party Tool with Similar Signature
  Description: A legitimate third-party tool (e.g., Sysinternals tools) contains code that matches the YARA rule due to similar obfuscation techniques.
  Filter/Exclusion: Exclude files signed by Microsoft or located in the C:\Windows\System32 directory with known tool names (e.g., `Process Explorer.exe