Looks for big numbers 256:sized

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential data exfiltration attempts where large volumes of data are being transferred in 256-byte chunks, which may indicate an adversary using stealthy methods to move data out of the environment. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration activities that may evade traditional detection mechanisms.

YARA Rule

rule Big_Numbers5
{
	meta:
		author = "_pusher_"
		description = "Looks for big numbers 256:sized"
		date = "2016-08"
	strings:
        	$c0 = /[0-9a-fA-F]{256}/ fullword wide ascii
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: System backup process using rsync or tar that generates large files (256 bytes) during compression or transfer.
Filter/Exclusion: Exclude files created by rsync or tar using the process name or command-line arguments.
Example Filter: process.name != "rsync" AND process.name != "tar"
Scenario: Scheduled system log rotation using logrotate that temporarily creates small log files (256 bytes) during rotation.
Filter/Exclusion: Exclude files created by logrotate using the process name or user context.
Example Filter: process.name != "logrotate"
Scenario: Administrative task using dd to copy small data blocks (e.g., 256 bytes) for disk imaging or testing.
Filter/Exclusion: Exclude files created by dd using the process name or command-line arguments.
Example Filter: process.name != "dd"
Scenario: Network packet capture (e.g., tcpdump) generating small capture files (256 bytes) during testing or debugging.
Filter/Exclusion: Exclude files created by tcpdump using the process name or command-line arguments.
Example Filter: process.name != "tcpdump"
Scenario: Temporary file creation by a legitimate application (e.g., nginx, apache, or docker) during normal operation.
Filter/Exclusion: Exclude files created by known legitimate applications using process name or user context.
Example Filter: process.name != "nginx" AND process.name != "apache" AND process.name != "docker"