Adversaries may be attempting to identify or exfiltrate sensitive strings by leveraging specific string patterns within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential data exfiltration or reconnaissance activities early.
YARA Rule
rule EnfalStrings : Enfal Family
{
meta:
description = "Enfal Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
$ = "e:\\programs\\LuridDownLoader"
$ = "LuridDownloader for Falcon"
$ = "DllServiceTrojan"
$ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
$ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
$ = "Madonna\x00Jesus"
$ = "/iupw82/netstate"
$ = "fuckNodAgain"
$ = "iloudermao"
$ = "Crpq2.cgi"
$ = "Clnpp5.cgi"
$ = "Dqpq3ll.cgi"
$ = "dieosn83.cgi"
$ = "Rwpq1.cgi"
$ = "/Ccmwhite"
$ = "/Cmwhite"
$ = "/Crpwhite"
$ = "/Dfwhite"
$ = "/Query.txt"
$ = "/Ufwhite"
$ = "/cgl-bin/Clnpp5.cgi"
$ = "/cgl-bin/Crpq2.cgi"
$ = "/cgl-bin/Dwpq3ll.cgi"
$ = "/cgl-bin/Owpq4.cgi"
$ = "/cgl-bin/Rwpq1.cgi"
$ = "/trandocs/mm/"
$ = "/trandocs/netstat"
$ = "NFal.exe"
$ = "LINLINVMAN"
$ = "7NFP4R9W"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using grep to search for a specific string in log files during a routine troubleshooting session.
Filter/Exclusion: Exclude processes where the command line includes grep or find and the user is a system admin (e.g., user.name = "admin" OR command_line LIKE "%grep%").
Scenario: A scheduled job runs a script that uses sed to replace a string in configuration files during a configuration update.
Filter/Exclusion: Exclude processes where the command line includes sed and the script is known to be part of a configuration management tool (e.g., script_path = "/opt/config-update.sh").
Scenario: A developer is using strings to analyze a binary file for debugging purposes.
Filter/Exclusion: Exclude processes where the command line includes strings and the file path is a known binary (e.g., file_path LIKE "/bin/%" or file_path LIKE "/usr/bin/%").
Scenario: A database administrator is running a query that includes a string literal in a SQL statement as part of a data migration.
Filter/Exclusion: Exclude processes where the command line includes mysql or psql and the query contains a known migration pattern (e.g., query LIKE "%INSERT INTO migration_table%").
Scenario: A DevOps engineer is using ansible to execute a playbook that includes a string match in a conditional check.
Filter/Exclusion: Exclude processes where the command line includes ansible and the playbook is known to be part of an automation workflow (e.g., playbook_name = "deploy_app.yml").