The thoughtcrime rule detects potential adversary behavior involving suspicious file artifacts that may indicate covert data exfiltration or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate low-severity threats that could escalate into more severe incidents.
YARA Rule
rule thoughtcrime: amtrckr
{
meta:
family = "thoughtcrime"
condition:
androguard.url(/losbalonazos\.com/) or
androguard.url(/www\.oguhtell\.ch/) or
androguard.url(/szaivert-numis\.at/) or
androguard.url(/edda-mally\.at/) or
androguard.url(/clubk-ginza\.net/)
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication and the backup process generates files matching the YARA signature.
Filter/Exclusion: Exclude files created by the Veeam Backup service or within the Veeam backup directory (e.g., C:\ProgramData\Veeam\Backup).
Scenario: A developer is using Docker to run a local development container, and the container’s filesystem contains files that match the YARA rule due to shared volumes or base images.
Filter/Exclusion: Exclude files within Docker directories such as /var/lib/docker or those associated with specific container IDs or names.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic, and the captured packets include data that matches the YARA rule due to protocol anomalies or custom payloads.
Filter/Exclusion: Exclude files or processes related to Wireshark (e.g., wireshark.exe, tshark.exe) or traffic from known internal tools.
Scenario: A system update using Chocolatey installs a package that includes files matching the YARA signature, such as a legitimate utility or library.
Filter/Exclusion: Exclude files installed by Chocolatey (e.g., files in C:\ProgramData\chocolatey\ or those with chocolatey in their path).
Scenario: A database administrator is running a SQL Server Agent Job that generates temporary files or logs that happen to match the YARA signature.
Filter/Exclusion: Exclude files created by SQL Server Agent (e.g., files in C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Backup or with SQLAgent in their name).