The hypothesis is that the detection rule identifies potential obfuscation or encoding techniques used by adversaries to evade simple string-based detection, as 128-bit sized numeric values may indicate encoded payloads or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that rely on encoding to bypass traditional detection methods.
YARA Rule
rule Big_Numbers4
{
meta:
author = "_pusher_"
description = "Looks for big numbers 128:sized"
date = "2016-08"
strings:
$c0 = /[0-9a-fA-F]{128}/ fullword wide ascii
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System backup process using rsync or tar that generates large temporary files (128 MB or more) during data compression or transfer.
Filter/Exclusion: Exclude processes associated with backup tools like rsync, tar, or backup scripts running under known backup user accounts (e.g., backup, backupuser).
Scenario: Scheduled system integrity check using Tripwire or AIDE that temporarily creates large log files or snapshots.
Filter/Exclusion: Exclude processes related to integrity checking tools like tripwire or aide, especially when running under the system integrity check schedule.
Scenario: Log aggregation tool like Fluentd or Logstash writing large volumes of logs to disk during peak hours.
Filter/Exclusion: Exclude processes associated with log aggregation tools, such as fluentd, logstash, or filebeat, especially when writing to log directories like /var/log/.
Scenario: Database dump or restore operation using mysqldump or pg_dump that generates large temporary files.
Filter/Exclusion: Exclude processes related to database tools like mysqldump, pg_dump, or sqlcmd, especially when running under database admin accounts (e.g., mysql, postgres).
Scenario: Virtualization platform like VMware or KVM creating large virtual machine snapshots or disk images.
Filter/Exclusion: Exclude processes related to virtualization tools such as vmware-vdiskmanager, qemu-img, or virt-sysprep, especially when operating on virtual machine directories.