Look for MD5 constants

Hunt Hypothesis

The detection rule identifies potential adversary activity by searching for MD5 hash constants, which may indicate the presence of hardcoded malicious payloads or indicators of compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover hidden malicious artifacts that could signal advanced persistent threats or data exfiltration attempts.

YARA Rule

rule MD5_Constants {
	meta:
		author = "phoul (@phoul)"
		description = "Look for MD5 constants"
		date = "2014-01"
		version = "0.2"
	strings:
		// Init constants
		$c0 = { 67452301 }
		$c1 = { efcdab89 }
		$c2 = { 98badcfe }
		$c3 = { 10325476 }
		$c4 = { 01234567 }
		$c5 = { 89ABCDEF }
		$c6 = { FEDCBA98 }
		$c7 = { 76543210 }
		// Round 2
		$c8 = { F4D50d87 }
		$c9 = { 78A46AD7 }
	condition:
		5 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using a known MD5 hash for verifying file integrity during a software update.
  Filter/Exclusion: Exclude hashes associated with known system files or hashes found in /etc/ or /usr/bin/ directories using a regex pattern for MD5 hashes.

• Scenario: A scheduled job runs a script that includes hardcoded MD5 hashes for validation, such as in a CI/CD pipeline.
  Filter/Exclusion: Exclude hashes found in scripts located in /opt/ci/ or /var/jenkins/ directories, or use a whitelist of known safe MD5 hashes used in CI/CD tools.

• Scenario: A developer is using a static analysis tool (e.g., bandit, SonarQube) that includes MD5 hashes for testing purposes.
  Filter/Exclusion: Exclude hashes found in directories like /home/developer/tools/ or in files with known static analysis tool names.

• Scenario: A log file contains MD5 hashes as part of a legitimate audit or compliance process, such as in a log rotation script.
  Filter/Exclusion: Exclude hashes found in log files located in /var/log/ or in files with names like audit.log, rotate.log, or compliance.log.

• Scenario: A backup tool (e.g., rsync, tar, Veeam) generates or uses MD5 hashes for data integrity checks during backup operations.
  Filter/Exclusion: Exclude hashes found in backup directories like /backup/, /mnt/backup/, or in files with names like backup_hashes.txt or checksums.md5.