The hypothesis is that the detected jQuery code may be part of a multi-stage attack leveraging legitimate JavaScript to execute arbitrary commands or exfiltrate data. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or data exfiltration attempts hidden within seemingly benign script payloads.
YARA Rule
rule jquery_code_su_multi {
strings: $ = "=oQKpkyJ8dCK0lGbwNnLn42bpRXYj9GbENDft12bkBjM8V2Ypx2c8Rnbl52bw12bDlkUVVGZvNWZkZ0M85WavpGfsJXd8R1UPB1NywXZtFmb0N3box"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate jQuery code in a web application
Filter/Exclusion: file.name contains "jquery.min.js" or file.path contains "/web/assets/jquery/"
Scenario: Scheduled job using jQuery for automated report generation
Filter/Exclusion: process.name contains "scheduled_task.exe" or process.args contains "generate_report"
Scenario: System update or patching process includes jQuery as a dependency
Filter/Exclusion: process.name contains "msiexec.exe" or file.name contains "jquery-3.6.0.msi"
Scenario: Admin task involving jQuery for internal tool development
Filter/Exclusion: user.name contains "admin" and process.name contains "vscode.exe" or file.path contains "/dev/tools/"
Scenario: Legacy system maintenance using jQuery for UI components
Filter/Exclusion: file.name contains "legacy_ui.js" or process.args contains "maintain_legacy_system"