The eval post rule detects potential adversary behavior involving the execution of arbitrary code through eval functions, which may indicate malicious payload delivery or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to persistent or destructive actions.
YARA Rule
rule eval_post {
strings:
$ = "eval(base64_decode($_POST"
$ = "eval($undecode($tongji))"
$ = "eval($_POST"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using PowerShell to evaluate a script for a security audit.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "explorer.exe"
Scenario: A scheduled job runs a script to clean up temporary files using PowerShell.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "schtasks.exe"
Scenario: A Windows Event Log parser tool (e.g., LogParser) is processing logs and temporarily creates a file with the name eval_post.
Filter/Exclusion: process.name != "logparser.exe" OR process.parent.name != "services.exe"
Scenario: A SIEM tool (e.g., Splunk) is configured to run a script that generates a file named eval_post as part of data ingestion.
Filter/Exclusion: process.name != "splunkd.exe" OR process.parent.name != "splunkd.exe"
Scenario: A devOps pipeline (e.g., Jenkins) is executing a build script that creates a temporary file named eval_post.
Filter/Exclusion: process.name != "java.exe" OR process.parent.name != "jenkins.exe"