The z3core YARA rule detects potential exploitation of the Z3 solver library, which may indicate malicious code execution or code injection attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversarial activity that could lead to deeper system compromise.
YARA Rule
rule z3core: amtrckr
{
meta:
family = "z3core"
condition:
androguard.url(/lexsmilefux\.link/)
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a Windows Task Scheduler job, is running a script or executable that matches the z3core YARA rule.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with a command line containing /S (for scheduled tasks).
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Windows Defender, Bitdefender, or Kaspersky is performing a full system scan and temporarily executes a file that matches the z3core rule.
Filter/Exclusion: Exclude processes with parent process svchost.exe or MsMpEng.exe, or with a command line containing Scan or FullScan.
Scenario: Software Update or Patch Deployment
Description: A legitimate software update or patch, such as from Microsoft Windows Update or a third-party application like Adobe Reader, is being deployed and triggers the rule.
Filter/Exclusion: Exclude processes with parent process wuauclt.exe or msiexec.exe, or with a command line containing update, patch, or install.
Scenario: Database Backup or Restore Job
Description: A database backup or restore job, such as using sqlbackup.exe or mysqldump, is running and matches the z3core rule due to similar file structure.
Filter/Exclusion: Exclude processes with parent process sqlservr.exe or mysqld.exe, or with a command line containing backup, restore, or dump.
Scenario: Log Collection or Monitoring Tool
Description: A log collection tool like Splunk, ELK Stack, or Graylog is running a process that matches the z3core rule due to similar