Adversaries may cloak malicious payloads within seemingly benign JPG files to evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate stealthy malware that could persist undetected in the environment.
YARA Rule
rule Cloaked_as_JPG {
meta:
description = "Detects a cloaked file as JPG"
author = "Florian Roth (eval section from Didier Stevens)"
date = "2015/02/29"
score = 70
strings:
$ext = "extension: .jpg"
condition:
$ext and uint16be(0x00) != 0xFFD8
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system backup job compresses and saves JPG files using 7-Zip or WinRAR with a .jpg extension for compatibility with legacy systems.
Filter/Exclusion: Exclude files created by 7-Zip or WinRAR using file metadata or process name checks (e.g., process.name = "7z.exe" or process.name = "WinRAR.exe").
Scenario: A scheduled task runs a script that generates temporary JPG files for testing or logging purposes using PowerShell or Python scripts.
Filter/Exclusion: Exclude files with a specific naming pattern (e.g., *_temp.jpg) or filter by file creation time within a known testing window.
Scenario: An administrator uses Bulk Rename Utility to rename non-JPG files to .jpg for file system compatibility or user access.
Filter/Exclusion: Exclude files with a specific file extension pattern (e.g., *.jpg but not matching a known renaming tool’s output pattern) or check for file content type mismatches.
Scenario: A user uploads a file via a web interface (e.g., Apache or Nginx) that is renamed to .jpg by the server for storage purposes.
Filter/Exclusion: Exclude files uploaded via known web servers or check for HTTP request patterns (e.g., POST /upload with specific headers).
Scenario: A system uses rsync or scp to transfer files between servers, and the destination system appends .jpg to filenames for consistency.
Filter/Exclusion: Exclude files with a specific source or destination IP, or filter based on file transfer tools (e.g., process.name = "rsync.exe" or process.name = "scp.exe").