The detection rule identifies potential obfuscation techniques by flagging 32-bit numeric values that may be used to encode or hide malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover adversarial activity that may evade traditional detection methods.
YARA Rule
rule Big_Numbers1
{
meta:
author = "_pusher_"
description = "Looks for big numbers 32:sized"
date = "2016-07"
strings:
$c0 = /[0-9a-fA-F]{32}/ fullword wide ascii
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System logs generated by Windows Event Viewer during routine system audits contain numeric values representing event IDs or timestamps.
Filter/Exclusion: Exclude events with EventID or TimeCreated fields using a regex pattern like EventID:\d{4} or TimeCreated:\d{8}.
Scenario: PowerShell scripts running scheduled tasks (e.g., Task Scheduler) output numeric values for progress tracking or logging.
Filter/Exclusion: Exclude logs containing PSWriteLog or Write-Output commands with numeric values using a regex like PSWriteLog|\b\d{1,3}\b.
Scenario: Database queries executed by SQL Server Agent Jobs return numeric results (e.g., row counts, IDs) that match the 32-bit numeric pattern.
Filter/Exclusion: Exclude queries with SELECT COUNT(*) or WHERE ID = using a regex like SELECT\s+COUNT\s*\( or WHERE\s+ID\s*=.
Scenario: Log management tools like Splunk or ELK Stack generate numeric values in log messages for metrics or timestamps.
Filter/Exclusion: Exclude logs containing timestamp or metric fields using a regex like timestamp:\d{10} or metric:\d{1,10}.
Scenario: System performance counters (e.g., via Performance Monitor) report numeric values for CPU usage, memory, or disk I/O.
Filter/Exclusion: Exclude counters with Processor\% Processor Time or Memory\Available MBytes using a regex like Processor\s*%.*Time or Memory\s*Available.*MBytes.