The detection rule identifies potential adversary behavior involving the use of specific code features that may indicate malicious activity or reconnaissance. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover early-stage threats that leverage code features for persistence or data exfiltration.
YARA Rule
rule FavoriteCode : Favorite Family
{
meta:
description = "Favorite code features"
author = "Seth Hardy"
last_modified = "2014-06-24"
strings:
// standard string hiding
$ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
$ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using git to clone a repository during a routine code update.
Filter/Exclusion: Exclude processes related to git or git clone commands.
Scenario: A scheduled job runs npm install to update dependencies in a development environment.
Filter/Exclusion: Exclude processes initiated by scheduled tasks or related to npm install.
Scenario: A DevOps engineer is using docker-compose to build and deploy a containerized application.
Filter/Exclusion: Exclude processes related to docker-compose or container build activities.
Scenario: An IT admin is performing a system backup using rsync or tar to archive user data.
Filter/Exclusion: Exclude processes associated with backup tools like rsync or tar.
Scenario: A developer is using webpack to bundle frontend assets as part of a build pipeline.
Filter/Exclusion: Exclude processes related to webpack or frontend build tools.