The obfuscated_globals rule detects potential adversary behavior involving the use of obfuscated global variables to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may otherwise go unnoticed.
YARA Rule
rule obfuscated_globals {
/* $GLOBALS['y63581'] = "\x43 */
strings: $ = /\$GLOBALS\['.{1,10}'\] = "\\x/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using PowerShell to obfuscate a script for internal use (e.g., to bypass script execution policies).
Filter/Exclusion: Check for ProcessName containing powershell.exe and CommandLine containing -EncodedCommand or -EncodedScript.
Scenario: A scheduled job runs a legitimate obfuscated script to perform system maintenance, such as log rotation or configuration updates.
Filter/Exclusion: Filter by ProcessName matching the job scheduler (e.g., schtasks.exe or task scheduler), and check for known maintenance scripts in a trusted directory.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is using obfuscated scripts to securely pass credentials or environment variables.
Filter/Exclusion: Check for ProcessName related to CI/CD tools (e.g., jenkins.exe, github-runner.exe) and verify if the script is part of a known pipeline configuration.
Scenario: A security tool (e.g., CrowdStrike, SentinelOne) is using obfuscated payloads for evasion during red team exercises.
Filter/Exclusion: Filter by ProcessName matching the security tool’s executable and check for known red team or penetration testing activities in the event logs.
Scenario: A configuration management tool (e.g., Ansible, Chef) is using obfuscated templates or scripts to manage remote systems.
Filter/Exclusion: Check for ProcessName related to configuration management tools and verify if the script is part of a known configuration management workflow.