Adversaries may use obfuscated eval techniques to dynamically execute malicious code and evade traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code injection attempts and early-stage malware execution.
YARA Rule
rule obfuscated_eval {
strings:
$ = /\\x65\s*\\x76\s*\\x61\s*\\x6C/
$ = "\"/.*/e\""
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using PowerShell to run a scheduled job that dynamically generates and executes a string of code for system diagnostics.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "schtasks.exe"
Scenario: A Windows Task Scheduler job is configured to execute a script that uses eval() in a JavaScript context for configuration parsing.
Filter/Exclusion: process.name != "taskhostw.exe" or process.parent.name != "schtasks.exe"
Scenario: A Python script is used by a DevOps team to dynamically generate and execute configuration commands during deployment, using eval() in a controlled environment.
Filter/Exclusion: process.name != "python.exe" or process.parent.name != "jenkins.exe"
Scenario: A Java application uses ScriptEngineManager to evaluate user-provided expressions for custom reporting, which is part of a business intelligence tool.
Filter/Exclusion: process.name != "java.exe" or process.parent.name != "bi-tool.exe"
Scenario: A Syslog parser or log management tool (e.g., Splunk or ELK) uses eval() in its search language to filter or transform log data.
Filter/Exclusion: process.name != "splunkd.exe" or process.name != "java.exe" (for ELK stack)