The googieplay_js rule detects potential JavaScript-based adversary behavior that may be used to exfiltrate data or establish persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to more severe compromises.
YARA Rule
rule googieplay_js {
strings: $ = "tdsjqu!tsd>#iuuq;00hpphjfqmbz/jogp0nbhfoup`hpphjfqmbz/kt#?=0tdsjqu?"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate use of JavaScript in a development environment
Filter/Exclusion: Check for presence of development tools like Visual Studio Code, WebStorm, or Sublime Text in the process tree. Exclude processes running under user accounts with dev or developer in their username.
Scenario: Scheduled job for system maintenance or log rotation
Filter/Exclusion: Exclude processes associated with cron, systemd, or task scheduler that are running known maintenance scripts (e.g., logrotate, systemd-journald, or clean_logs.sh).
Scenario: Admin task involving script execution for configuration updates
Filter/Exclusion: Exclude processes initiated by administrators using tools like PowerShell, bash, or cmd.exe that are executing known administrative scripts (e.g., update_config.ps1, setup.sh, or config_update.bat).
Scenario: Legitimate use of JavaScript in a CI/CD pipeline
Filter/Exclusion: Exclude processes running under CI/CD agents like Jenkins, GitLab CI, or GitHub Actions that are executing JavaScript-based build scripts (e.g., build.js, package.json scripts).
Scenario: Use of JavaScript in a legitimate security tool for threat hunting
Filter/Exclusion: Exclude processes associated with security tools like OSSEC, Snort, or Suricata that may include JavaScript for analysis or parsing (e.g., threat_hunting.js, analysis_script.js).