The RandomRange function may indicate an adversary attempting to generate unpredictable values for obfuscation or evasion. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malicious activity that could be used in payload generation or timing-based attacks.
YARA Rule
rule Delphi_RandomRange {
meta:
author = "_pusher_"
description = "Look for RandomRange function"
date = "2016-06"
version = "0.1"
strings:
$c0 = { 56 8B F2 8B D8 3B F3 7D 0E 8B C3 2B C6 E8 ?? ?? ?? ?? 03 C6 5E 5B C3 8B C6 2B C3 E8 ?? ?? ?? ?? 03 C3 5E 5B C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to generate random numbers for a password reset script.
Filter/Exclusion: Exclude processes associated with PowerShell.exe where the command line includes -Command and contains New-Random or RandomRange.
Scenario: A scheduled job runs a legitimate reporting tool that uses the RandomRange function to generate sample data for testing.
Filter/Exclusion: Exclude processes running under a known reporting service (e.g., ReportService.exe) or with a scheduled task name containing “reporting” or “test”.
Scenario: A developer is testing a .NET application that uses the RandomRange function for random data generation during unit testing.
Filter/Exclusion: Exclude processes running under a development environment (e.g., VisualStudio.exe, dotnet.exe) or with a process name containing “test” or “debug”.
Scenario: A system update or patching tool uses a random value generator to simulate random behavior during a simulated attack scenario.
Filter/Exclusion: Exclude processes associated with patching tools (e.g., PatchManager.exe, WindowsUpdate.exe) or with a command line containing “simulate” or “attack”.
Scenario: A security tool or SIEM system uses the RandomRange function to generate random identifiers for log entries or event correlation.
Filter/Exclusion: Exclude processes associated with SIEM tools (e.g., Splunkd.exe, ELKStack.exe) or with a process name containing “log”, “correlation”, or “identifier”.