The Compare string function may indicate an adversary attempting to manipulate or bypass system checks by comparing strings in a way that could hide malicious payloads or evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics and uncover hidden malicious activities.
YARA Rule
rule Delphi_CompareCall {
meta:
author = "_pusher_"
description = "Look for Compare string function"
date = "2016-07"
strings:
$c0 = { 53 56 57 89 C6 89 D7 39 D0 0F 84 8F 00 00 00 85 F6 74 68 85 FF 74 6B 8B 46 FC 8B 57 FC 29 D0 77 02 01 C2 52 C1 EA 02 74 26 8B 0E 8B 1F 39 D9 75 58 4A 74 15 8B 4E 04 8B 5F 04 39 D9 75 4B 83 C6 08 83 C7 08 4A 75 E2 EB 06 83 C6 04 83 C7 04 5A 83 E2 03 74 22 8B 0E 8B 1F 38 D9 75 41 4A 74 17 38 FD 75 3A 4A 74 10 81 E3 00 00 FF 00 81 E1 00 00 FF 00 39 D9 75 27 01 C0 EB 23 8B 57 FC 29 D0 EB 1C 8B 46 FC 29 D0 EB 15 5A 38 D9 75 10 38 FD 75 0C C1 E9 10 C1 EB 10 38 D9 75 02 38 FD 5F 5E 5B C3 }
//newer delphi
$c1 = { 39 D0 74 30 85 D0 74 22 8B 48 FC 3B 4A FC 75 24 01 C9 01 C8 01 CA F7 D9 53 8B 1C 01 3B 1C 11 75 07 83 C1 04 78 F3 31 C0 5B C3}
//x64
$c2 = { 41 56 41 55 57 56 53 48 83 EC 20 48 89 D3 48 3B CB 75 05 48 33 C0 EB 74 48 85 C9 75 07 8B 43 FC F7 D8 EB 68 48 85 DB 75 05 8B 41 FC EB 5E 8B 79 FC 44 8B 6B FC 89 FE 41 3B F5 7E 03 44 89 EE E8 ?? ?? ?? ?? 49 89 C6 48 89 D9 E8 ?? ?? ?? ?? 48 89 C1 85 F6 7E 30 41 0F B7 06 0F B7 11 2B C2 85 C0 75 29 83 FE 01 74 1E 41 0F B7 46 02 0F B7 51 02 2B C2 85 C0 75 15 49 83 C6 04 48 83 C1 04 83 EE 02 85 F6 7F D0 90 8B C7 41 2B C5 48 83 C4 20 5B 5E 5F 41 5D 41 5E C3 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled backup job using Compare-Object in PowerShell to verify data consistency
Filter/Exclusion: Exclude processes initiated by the backup service account or filter based on the command line argument -IncludeEqual or -ExcludeDifferent.
Scenario: System administrators using Compare-String in PowerShell to validate configuration changes
Filter/Exclusion: Filter by user account (e.g., Administrator) and exclude commands that include -Pattern or -CaseSensitive.
Scenario: Log parsing script using Compare-String to match log entries against a known pattern
Filter/Exclusion: Exclude processes running under a log analysis service (e.g., LogParser) and filter based on the presence of -InputObject or -Pattern.
Scenario: Automated deployment script using Compare-Object to check for file differences before deployment
Filter/Exclusion: Exclude processes initiated by a CI/CD pipeline (e.g., Azure DevOps) and filter based on the presence of -PassThru or -IncludeEqual.
Scenario: Security tool integration using Compare-String to validate against a threat intelligence list
Filter/Exclusion: Exclude processes associated with a known security tool (e.g., CrowdStrike, SentinelOne) and filter based on the presence of -InputObject or -Pattern.