The infostealer detection rule identifies potential credential or data exfiltration activities by unknown malware leveraging Azure environment interactions. SOC teams should proactively hunt for this behavior to detect early-stage adversaries exploiting Azure resources for data theft.
YARA Rule
rule infostealer: amtrckr
{
meta:
family = "infostealer"
condition:
androguard.url(/koko02\.ru/)
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that mimics the behavior of the infostealer YARA rule (e.g., reading files from user directories).
Filter/Exclusion: process.name == "schtasks.exe" or file.name == "maintenance_script.ps1"
Scenario: Admin Performing Credential Dumping for Security Audit
Description: An admin uses tools like mimikatz or PowerView to extract credentials as part of a security audit.
Filter/Exclusion: process.name == "mimikatz.exe" or process.name == "PowerView.ps1"
Scenario: Legitimate Data Exfiltration via PowerShell
Description: A script using Invoke-WebRequest or Send-MailMessage is used to transfer logs or data to a central server.
Filter/Exclusion: process.name == "powershell.exe" and event_id == 4104 (or check for known legitimate data exfiltration patterns)
Scenario: Software Update or Patch Deployment
Description: A patching tool like Chocolatey or WSUS executes scripts that temporarily access sensitive directories.
Filter/Exclusion: process.name == "choco.exe" or process.name == "wsusutil.exe"
Scenario: User-Initiated File Transfer via Drag-and-Drop
Description: A user manually transfers files using a tool like Robocopy or xcopy, which may trigger the rule due to file access patterns.
Filter/Exclusion: process.name == "robocopy.exe" or process.name == "xcopy.exe"