Look for Random function

Hunt Hypothesis

The detection rule identifies the use of the Random function, which may indicate an adversary attempting to obfuscate or generate unpredictable values for malicious purposes. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover potential evasion tactics or data manipulation attempts that could signal advanced persistent threats.

YARA Rule

rule Delphi_Random {
	meta:
		author = "_pusher_"
		description = "Look for Random function"
		date = "2015-08"
		version = "0.1"
	strings:
		$c0 = { 53 31 DB 69 93 ?? ?? ?? ?? 05 84 08 08 42 89 93 ?? ?? ?? ?? F7 E2 89 D0 5B C3 }
		//x64 rad
		$c1 = { 8B 05 ?? ?? ?? ?? 69 C0 05 84 08 08 83 C0 01 89 05 ?? ?? ?? ?? 8B C9 8B C0 48 0F AF C8 48 C1 E9 20 89 C8 C3 }
	condition:
		any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to generate random passwords for user accounts during a routine security audit.
  Filter/Exclusion: Exclude processes initiated by the Local System account or those running under the Administrators group with a command line containing GeneratePassword or New-Random.

• Scenario: A scheduled job in SQL Server Agent is using the RAND() function to generate random test data for a database load test.
  Filter/Exclusion: Exclude processes with the sqlservr.exe process name and command lines containing RAND() or TestLoad.

• Scenario: A DevOps engineer is using Ansible to randomly assign IP addresses to virtual machines during a deployment.
  Filter/Exclusion: Exclude processes with the ansible command line and any usage of the random module or random.choice() in the playbook.

• Scenario: A Windows Task Scheduler job is using a script to randomly select files for archiving as part of a backup process.
  Filter/Exclusion: Exclude tasks with the schtasks.exe process name and command lines containing RandomFileSelector or Get-Random.

• Scenario: A Python script running in a Jenkins CI/CD pipeline uses the random module to randomly select test cases for execution.
  Filter/Exclusion: Exclude processes with the python executable and command lines containing random.choice() or random.sample().