Tofu Backdoor

Hunt Hypothesis

The Tofu Backdoor detection rule identifies potential adversary persistence by leveraging a low-privilege, stealthy backdoor mechanism that may evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term access that could lead to more severe compromises.

YARA Rule

rule Tofu_Backdoor
{
meta:
        author = "Cylance Spear Team"
        reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html"
strings:
	$a = "Cookies: Sym1.0"
	$b = "\\\\.\\pipe\\1[12345678]"
	$c = {66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0}
condition:
	$a or $b or $c
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled task runs a script that uses tar to archive logs, which may trigger the Tofu Backdoor detection due to the presence of the tar command.
  Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., cron, at, or task scheduler) or filter by command-line arguments containing --archive or --log.

• Scenario: Admin Task Using tar for Backup
  Description: An administrator uses tar to create a backup of user data, which may be flagged due to the use of the tar utility.
  Filter/Exclusion: Exclude processes where the user is a domain admin or where the command includes --backup or --exclude flags.

• Scenario: Log Rotation Using logrotate
  Description: The logrotate utility compresses and rotates logs using tar, which may trigger the Tofu Backdoor rule.
  Filter/Exclusion: Exclude processes initiated by logrotate or filter by command-line arguments containing --compress or --rotate.

• Scenario: Software Update Using tar
  Description: A legitimate software update process uses tar to extract files, which may be flagged by the Tofu Backdoor detection.
  Filter/Exclusion: Exclude processes where the file path matches known update directories (e.g., /opt/update/, /var/tmp/update/) or filter by user context (e.g., root or sudo).

• Scenario: Database Backup Using tar
  Description: A database administrator uses tar to back up a database to a remote server, which may trigger the Tofu Backdoor rule.
  Filter/Exclusion: Exclude processes where the