Cookies Identifying Strings

Hunt Hypothesis

The detection rule identifies potential adversary activity through the presence of suspicious cookie strings that may be used for persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover covert communication channels or unauthorized data handling that could indicate a broader compromise.

YARA Rule

rule CookiesStrings
{
    meta:
        description = "Cookies Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-20"
        
    strings:
        $zip1 = "ntdll.exePK"
        $zip2 = "AcroRd32.exePK"
        $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
        $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
        $exe1 = "Leave GetCommand!"
        $exe2 = "perform exe success!"
        $exe3 = "perform exe failure!"
        $exe4 = "Entry SendCommandReq!"
        $exe5 = "Reqfile not exist!"
        $exe6 = "LeaveDealUpfile!"
        $exe7 = "Entry PostData!"
        $exe8 = "Leave PostFile!"
        $exe9 = "Entry PostFile!"
        $exe10 = "\\unknow.zip" wide ascii
        $exe11 = "the url no respon!"
        
    condition:
      (2 of ($zip*)) or (2 of ($exe*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 15 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Web Application Authentication Cookie
  Description: A legitimate authentication cookie (e.g., session_id, auth_token) is being transmitted during normal user login.
  Filter/Exclusion: Exclude cookies that match known authentication patterns (e.g., ^session_id$, ^auth_token$) or use a regex to filter out cookies associated with internal authentication systems like Keycloak, Auth0, or OAuth2.

• Scenario: Scheduled Job Exporting User Data
  Description: A scheduled job (e.g., export_users.sh or generate_report.py) is exporting user data to a CSV file, which includes cookie-like strings in the output.
  Filter/Exclusion: Exclude files generated by known scripts or tools (e.g., export_users.sh, generate_report.py) or filter based on file paths like /var/log/export_users.csv.

• Scenario: System Administration Task Using Cookie-like Strings
  Description: An admin is using a tool like Ansible or Puppet to manage configurations and includes cookie-like strings in the configuration files (e.g., session_token in a config file).
  Filter/Exclusion: Exclude files or processes associated with configuration management tools (e.g., ansible, puppet) or filter based on file extensions like .yml, .conf, or .json.

• Scenario: Log File Containing Cookie-like Strings
  Description: A log file (e.g., from ELK Stack, Splunk, or Graylog) contains cookie-like strings as part of structured logging or metadata.
  Filter/Exclusion: Exclude logs from known log management tools or filter based on log source (e.g., log_type: system, source: splunk).

• Scenario: Internal Monitoring Tool Using Cookie-like Identifiers