is elf

Hunt Hypothesis

The rule detects potential ELF file artifacts that may indicate the presence of malicious binaries or suspicious process behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise through file-based attack vectors.

YARA Rule

rule is_elf
{
    strings:
        $header = { 7F 45 4C 46 }

    condition:
        $header at 0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A legitimate system update or package installation uses an ELF binary (e.g., apt or yum package manager)

  • Filter/Exclusion: Check the file path against known package directories (e.g., /usr/lib, /opt, /var/cache/apt/archives)

• Scenario: A system administrator is using a legitimate ELF-based tool like strace or ltrace for debugging

  • Filter/Exclusion: Exclude files matching /usr/bin/strace or /usr/bin/ltrace or use process name filtering for strace or ltrace

• Scenario: A scheduled job runs a legitimate ELF binary, such as cron job executing /usr/sbin/rsyslogd

  • Filter/Exclusion: Exclude files in /etc/cron.d/ or use process name filtering for rsyslogd or cron

• Scenario: A developer is compiling a C program using gcc, which generates an ELF binary as part of the build process

  • Filter/Exclusion: Exclude files in /tmp or /build directories, or filter by process name gcc

• Scenario: A containerized application (e.g., Docker) runs an ELF binary inside a container, such as a custom service

  • Filter/Exclusion: Exclude files within container-specific directories (e.g., /var/lib/docker) or use container ID or namespace filtering