Favorite Identifying Strings

Hunt Hypothesis

The detection rule identifies potential adversary activity by monitoring for the presence of known identifying strings that may indicate malicious or unauthorized access attempts. SOC teams should proactively hunt for these strings in Azure Sentinel to detect early-stage threats and prevent potential data exfiltration or system compromise.

YARA Rule

rule FavoriteStrings : Favorite Family
{
    meta:
        description = "Favorite Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-24"
        
    strings:
        $string1 = "!QAZ4rfv"
        $file1 = "msupdater.exe"
        $file2 = "FAVORITES.DAT"
        
    condition:
       any of ($string*) or all of ($file*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using grep to search for log entries in a production environment.
  Filter/Exclusion: Exclude processes where the command line contains grep and the user is a system admin (e.g., user.name = "admin" OR user.name = "sysadmin").

• Scenario: A scheduled job runs a script that uses strings to analyze binary files for debugging purposes.
  Filter/Exclusion: Exclude processes where the command line includes strings and the job is known to be part of a standard debugging or analysis routine (e.g., process.name = "debug_script.sh").

• Scenario: A database administrator is using mysql to query a table that contains the string “Favorite Identifying Strings” as a column name or value.
  Filter/Exclusion: Exclude processes where the process name is mysql and the command line includes a known database query or schema name (e.g., process.name = "mysql" AND command_line LIKE "%database_name%").

• Scenario: A DevOps engineer is running a CI/CD pipeline that includes a step where the string “Favorite Identifying Strings” is used as a placeholder in a configuration file.
  Filter/Exclusion: Exclude processes where the command line includes CI/CD tools like Jenkins or GitLab CI and the file path matches a known configuration directory (e.g., file.path LIKE "/var/jenkins_home/config/%").

• Scenario: A security analyst is manually reviewing logs and uses a text editor like vim or nano to search for specific strings as part of an investigation.
  Filter/Exclusion: Exclude processes where the command line includes vim, nano, or similar text editors and the user is a security analyst (e.g., user.name = "security_analyst").