Looks for big numbers 20:sized

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential obfuscation or encoding techniques used by adversaries to evade simple string-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover advanced persistent threats that may be using size-based obfuscation to hide malicious payloads or commands.

YARA Rule

rule Big_Numbers0
{
	meta:
		author = "_pusher_"
		description = "Looks for big numbers 20:sized"
		date = "2016-07"
	strings:
		$c0 = /[0-9a-fA-F]{20}/ fullword ascii
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System backup process using rsync or tar that generates large temporary files
  Filter/Exclusion: Exclude files created by rsync or tar using the process name or command line arguments.
  Example Filter: process.name != "rsync" and process.name != "tar"

• Scenario: Log file rotation using logrotate that creates large temporary files
  Filter/Exclusion: Exclude files created by logrotate using the process name or command line arguments.
  Example Filter: process.name != "logrotate"

• Scenario: Scheduled job using cron or systemd that generates large output files (e.g., systemctl or crontab jobs)
  Filter/Exclusion: Exclude files generated by scheduled tasks using the process name or user context.
  Example Filter: process.name != "cron" and process.name != "systemd" and user != "root"

• Scenario: Database dump using mysqldump or pg_dump that creates large output files
  Filter/Exclusion: Exclude files created by database dump tools using the process name or command line arguments.
  Example Filter: process.name != "mysqldump" and process.name != "pg_dump"

• Scenario: Temporary files created by a legitimate application (e.g., ffmpeg, docker, or kubernetes) during processing
  Filter/Exclusion: Exclude files generated by known legitimate applications using process name or application-specific tags.
  Example Filter: process.name != "ffmpeg" and process.name != "docker" and process.name != "k8s" and process.name != "kubelet"