The rule detects potential adversarial use of JavaScript eval functions with inline comments to obfuscate malicious code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel as it may indicate attempts to bypass standard detection mechanisms and execute arbitrary code.
YARA Rule
rule eval_with_comments {
strings:
$ = /(^|\s)eval\s*\/\*.{,128}\*\/\s*\(/
condition:
any of them and filesize < 500KB
}This YARA rule can be deployed in the following contexts:
Scenario: Developer commenting on code in a version control system
Description: A developer adds inline comments to a script or configuration file using a tool like Git or SVN.
Filter/Exclusion: Exclude files with .git or .svn directories, or files modified by users with the developer role.
Scenario: Scheduled system maintenance job with embedded comments
Description: A scheduled task (e.g., using cron or Task Scheduler) runs a script that includes comments for documentation.
Filter/Exclusion: Exclude files with cron or task in their path, or files executed by the system or admin account.
Scenario: Admin using eval in a legitimate configuration file
Description: An administrator uses eval in a configuration file (e.g., bashrc, profile, or init.d) for dynamic command execution.
Filter/Exclusion: Exclude files in /etc/ or /root/, or files with admin or sudo in their path.
Scenario: Log file parsing with inline comments
Description: A log parsing script (e.g., using awk, sed, or grep) includes comments to explain log format.
Filter/Exclusion: Exclude files with .log, .txt, or .csv extensions, or files accessed by log management tools like rsyslog or logrotate.
Scenario: Script used for automated testing with embedded comments
Description: A test script (e.g., using pytest, Jest, or Selenium) includes comments for test case explanations.
Filter/Exclusion: Exclude files in a tests/ directory, or files with test_ in their name.