Common Information
| Type | Value |
|---|---|
| Value |
rule P0_Hunting_Azure_EnvVarNames_1 {
meta:
description = " Detecting presence of scripts searching for numerous environment variables containing sensitive Azure credential information "
author = " daniel.bohannon@permiso.io (@danielhbohannon) "
date = " 2023-07-12 "
reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ "
md5_01 = " b9113ccc0856e5d44bab8d3374362a06 "
md5_02 = " d9ecceda32f6fa8a7720e1bf9425374f "
md5_03 = " 0855b8697c6ebc88591d15b954bcd15a "
md5_04 = " f7df739f865448ac82da01b3b1a97041 "
md5_05 = " 1a37f2ef14db460e5723f3c0b7a14d23 "
md5_06 = " 99f0102d673423c920af1abc22f66d4e "
md5_07 = " 99f0102d673423c920af1abc22f66d4e "
md5_08 = " 5daace86b5e947e8b87d8a00a11bc3c5 "
strings:
$envVarAzurePrefixSyntax_01 = " $AZURE_ "
$envVarAzurePrefixSyntax_02 = " ${AZURE_"
$envVarAzure_01 = "AZURE_CREDENTIAL_FILE"
$envVarAzure_02 = "AZURE_GUEST_AGENT_CONTAINER_ID"
$envVarAzure_03 = "AZURE_CLIENT_ID"
$envVarAzure_04 = "AZURE_CLIENT_SECRET"
$envVarAzure_05 = "AZURE_TENANT_ID"
$envVarAzure_06 = "AZURE_SUBSCRIPTION_ID"
$envVarEcho = "then echo "
condition:
(1 of ($envVarAzurePrefixSyntax*)) and (3 of ($envVarAzure*)) and (#envVarEcho >= 3)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |