The hypothesis is that the detection rule identifies potential adversary activity involving large data transfers or unusual network traffic patterns that may indicate data exfiltration or command and control communication. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches or persistent threats that may be operating undetected within the network.
YARA Rule
rule Big_Numbers2
{
meta:
author = "_pusher_"
description = "Looks for big numbers 48:sized"
date = "2016-07"
strings:
$c0 = /[0-9a-fA-F]{48}/ fullword wide ascii
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System backup jobs using rsync or tar that generate large log files with numeric timestamps or sizes.
Filter/Exclusion: Exclude processes related to backup tools like rsync, tar, or backupd using the process name or command line arguments.
Scenario: Log file rotation using logrotate that temporarily creates large files during rotation.
Filter/Exclusion: Exclude processes associated with logrotate or files in /var/log that are known to be rotated.
Scenario: Scheduled system integrity checks using Tripwire or AIDE that generate large temporary files.
Filter/Exclusion: Exclude files or processes related to integrity checking tools like tripwire or aide.
Scenario: Database dump operations using mysqldump or pg_dump that create large output files.
Filter/Exclusion: Exclude processes involving mysqldump, pg_dump, or database backup directories.
Scenario: Temporary files generated by ffmpeg or rsync during media processing or file transfer.
Filter/Exclusion: Exclude files in temporary directories like /tmp, or processes involving ffmpeg, rsync, or scp.