The IntToStr function may indicate an adversary attempting to obfuscate or encode data within application logs, potentially masking malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or command-and-control communication attempts.
YARA Rule
rule Delphi_IntToStr {
meta:
author = "_pusher_"
description = "Look for IntToStr function"
date = "2016-04"
version = "0.1"
strings:
$c0 = { 55 8B EC 81 C4 00 FF FF FF 53 56 8B F2 8B D8 FF 75 0C FF 75 08 8D 85 00 FF FF FF E8 ?? ?? ?? ?? 8D 95 00 FF FF FF 8B C6 E8 ?? ?? ?? ?? EB 0E 8B 0E 8B C6 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 06 E8 ?? ?? ?? ?? 33 D2 8A D3 3B C2 72 E3 5E 5B 8B E5 5D C2 08 00 }
//x64 rad
$c1 = { 53 48 83 EC 20 48 89 CB 48 85 D2 7D 10 48 89 D9 48 F7 DA 41 B0 01 E8 ?? ?? ?? ?? EB 0B 48 89 D9 4D 33 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to convert integer values to strings for logging purposes.
Filter/Exclusion: Exclude processes associated with powershell.exe where the command line includes -Command or -File and contains ConvertTo-String or ToString().
Scenario: A scheduled job runs a SQL Server Agent task that uses IntToStr in a T-SQL script to format numeric output.
Filter/Exclusion: Exclude events related to sqlagent or sqlservr.exe and filter out any SQL scripts that explicitly use IntToStr or similar string conversion functions.
Scenario: A network monitoring tool like Wireshark or tcpdump is parsing packet data and using IntToStr to convert numeric fields to human-readable strings.
Filter/Exclusion: Exclude processes related to wireshark, tcpdump, or tshark and filter out any logs or data that are part of network analysis workflows.
Scenario: A custom script written in Python or Bash is converting integers to strings for output or file generation.
Filter/Exclusion: Exclude processes running under python or bash where the script path or command line includes known legitimate conversion scripts or tools.
Scenario: A Windows Task Scheduler job is running a VBScript or JScript script that uses IntToStr for output formatting.
Filter/Exclusion: Exclude processes associated with schtasks.exe or cscript.exe and filter out any scripts that are known to be part of scheduled maintenance or reporting tasks.