Look for StrToInt function

Hunt Hypothesis

The StrToInt function may indicate an attempt to exploit or manipulate data types to execute arbitrary code or bypass security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code injection or obfuscation tactics used by adversaries.

YARA Rule

rule Delphi_StrToInt {
	meta:
		author = "_pusher_"
		description = "Look for StrToInt function"
		date = "2016-06"
		version = "0.1"
	strings:
		$c0 = { 53 56 83 C4 F4 8B D8 8B D4 8B C3 E8 ?? ?? ?? ?? 8B F0 83 3C 24 00 74 19 89 5C 24 04 C6 44 24 08 0B 8D 54 24 04 A1 ?? ?? ?? ?? 33 C9 E8 ?? ?? ?? ?? 8B C6 83 C4 0C 5E 5B C3 }
		//x64 rad
		$c1 = { 55 56 53 48 83 EC 40 48 8B EC 48 89 CB 48 89 D9 48 8D 55 3C E8 ?? ?? ?? ?? 89 C6 83 7D 3C 00 74 1B 48 89 5D 20 C6 45 28 11 48 8B 0D ?? ?? ?? ?? 48 8D 55 20 4D 33 C0 E8 ?? ?? ?? ?? 89 F0 48 8D 65 40 5B 5E 5D C3 }
	condition:
		any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to parse command-line arguments with StrToInt during a script that validates user input.
  Filter/Exclusion: Exclude processes associated with powershell.exe where the script path contains admin-scripts or validation.

• Scenario: A scheduled job runs a legacy application that uses StrToInt for data conversion during batch processing.
  Filter/Exclusion: Exclude processes running under a scheduled task named batch-data-processing or with a command line containing legacy-app.exe.

• Scenario: A developer is debugging a C# application using Visual Studio, and the StrToInt method is being called in the context of unit testing.
  Filter/Exclusion: Exclude processes with devenv.exe or where the process name includes VisualStudio.

• Scenario: A database administrator is using SQL Server Management Studio (SSMS) to run a T-SQL script that includes a conversion from string to integer.
  Filter/Exclusion: Exclude processes with ssms.exe or where the command line contains sqlcmd or sqlserver.

• Scenario: A DevOps pipeline is executing a script that uses StrToInt to parse version numbers or configuration values during deployment.
  Filter/Exclusion: Exclude processes associated with jenkins.exe, azure-pipelines.exe, or docker where the command line includes deploy or ci.