The hypothesis is that the detection rule identifies potential obfuscation or encoding techniques used by adversaries to bypass simple string-based detection mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to uncover advanced threats that may be leveraging large hexadecimal or binary data to hide malicious payloads or commands.
YARA Rule
rule Big_Numbers3
{
meta:
author = "_pusher_"
description = "Looks for big numbers 64:sized"
date = "2016-07"
strings:
$c0 = /[0-9a-fA-F]{64}/ fullword wide ascii
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System backup process using rsync or tar that generates large 64-bit numeric values during file size reporting.
Filter/Exclusion: Exclude processes related to backup tools like rsync, tar, or backup-agent using the process name or command line arguments.
Scenario: Scheduled job using cron or systemd that processes large datasets, such as log aggregation or data migration, which may involve 64-bit numeric values.
Filter/Exclusion: Exclude processes initiated by cron or systemd using the command field or parent process identifiers.
Scenario: Administrative task using dd or pv for data transfer that involves large file sizes, which may trigger the rule due to 64-bit numeric output.
Filter/Exclusion: Exclude processes related to dd, pv, or data-transfer using the command line or process name.
Scenario: Network monitoring tool like nmap or tcpdump that outputs large numeric values during packet analysis or port scanning.
Filter/Exclusion: Exclude processes associated with nmap, tcpdump, or sniffer using the process name or command line.
Scenario: Database backup or restore operation using tools like mysqldump, pg_dump, or mongodump that involve large numeric identifiers or file sizes.
Filter/Exclusion: Exclude processes related to database tools like mysqldump, pg_dump, or mongodump using the command line or process name.