misc iocs

Hunt Hypothesis

The detection rule identifies potential adversary activity through miscellaneous IOCs that may indicate low-level reconnaissance or initial access attempts. SOC teams should proactively hunt for these indicators in Azure Sentinel to uncover stealthy tactics that bypass traditional detection methods.

YARA Rule

rule misc_iocs
{
meta:
	author = "@patrickrolsen"
	maltype = "Misc."
	version = "0.1"
	reference = "N/A" 
strings:
	$doc = {D0 CF 11 E0} //DOCFILE0
	$s1 = "dw20.exe"
	$s2 = "cmd /"
condition:
    ($doc at 0) and (1 of ($s*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• N/A
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled task runs a script or command that matches the IOC (e.g., netsh, ipconfig, or taskkill).
  Filter/Exclusion: process.parent_process == "schtasks.exe" or process.name == "schtasks.exe"

• Scenario: Admin Performing System Cleanup
  Description: An administrator is using tools like del, rmdir, or cleanmgr to remove temporary files or unused registry entries.
  Filter/Exclusion: process.name == "cleanmgr.exe" or process.name == "cmd.exe" AND user == "Administrator"

• Scenario: Log File Rotation or Archiving
  Description: A log management tool like logrotate or PowerShell script is archiving or rotating log files, which may include commands matching the IOC.
  Filter/Exclusion: process.name == "logrotate" or process.name == "powershell.exe" AND command_line LIKE "%logrotate%"

• Scenario: Network Configuration Change via GUI Tool
  Description: A user is configuring network settings via the GUI (e.g., ncpa.cpl or netsh), which may trigger network-related IOCs.
  Filter/Exclusion: process.name == "ncpa.cpl" or process.name == "netsh.exe" AND user == "User"

• Scenario: Database Backup Job Execution
  Description: A database backup job (e.g., using sqlcmd, mysqldump, or pg_dump) is running and may include commands that match the IOC.
  Filter/Exclusion: process.name == "sqlcmd.exe" or process.name == "mysqldump.exe" or process.name == "pg_dump.exe"