function through object | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use function through object techniques to bypass standard detection mechanisms by leveraging object properties to invoke functions indirectly. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and uncover stealthy malware activity.

YARA Rule

rule function_through_object {
    strings: 
        $ = "['eval']"
        $ = "['unescape']"
        $ = "['charCodeAt']"
        $ = "['fromCharCode']"
    condition: 
        any of them and filesize < 500KB
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints
Source Rule

False Positive Guidance

Scenario: Scheduled system maintenance using schtasks.exe
Filter/Exclusion: process.parent_process == "schtasks.exe" or process.name == "schtasks.exe"
Scenario: PowerShell script running as part of a regular system update process
Filter/Exclusion: process.name == "powershell.exe" && process.parent_process == "svchost.exe" and process.command_line contains "Update"
Scenario: Admin task using taskmgr.exe to manage running processes
Filter/Exclusion: process.name == "taskmgr.exe" or process.parent_process == "explorer.exe"
Scenario: Legitimate use of regsvr32.exe to register a COM component
Filter/Exclusion: process.name == "regsvr32.exe" and process.command_line contains "/s"
Scenario: Automated backup job using robocopy.exe
Filter/Exclusion: process.name == "robocopy.exe" and process.command_line contains "/Z /R:3"