The overwrite globals hack detects adversaries attempting to manipulate global variables in a script to alter program behavior or bypass security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential script-based attacks that could evade traditional detection mechanisms.
YARA Rule
rule overwrite_globals_hack {
strings: $ = /\$GLOBALS\['[^']{,20}'\]=Array\(/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled System Updates
Description: A legitimate scheduled job runs to update system-wide configuration files, which may trigger the rule due to file modifications.
Filter/Exclusion: Exclude files modified by known update tools like yum, apt, or Windows Update using a filter like:
file.name IN ("etc/apt/apt.conf", "etc/yum.conf", "C:\\Windows\\System32\\svchost.exe")
Scenario: Admin Task - Overwrite Global Configuration Files
Description: An administrator manually overwrites global configuration files (e.g., nginx.conf, httpd.conf) during routine maintenance.
Filter/Exclusion: Exclude files modified by admin users with elevated privileges using:
user.name IN ("root", "Administrator") AND file.name IN ("/etc/nginx/nginx.conf", "/etc/httpd/conf/httpd.conf")
Scenario: Log Rotation or File Archiving
Description: A log rotation tool like logrotate or a backup script archives or rotates log files, which may be flagged as suspicious file overwrites.
Filter/Exclusion: Exclude files associated with log rotation or backup processes using:
file.name IN ("/var/log/*.log", "/backup/*.tar.gz") OR process.name IN ("logrotate", "rsync")
Scenario: Database Backup or Restore Operation
Description: A database backup or restore task (e.g., using mysqldump, pg_dump, or sqlcmd) may overwrite global state files.
Filter/Exclusion: Exclude files modified by database tools using:
process.name IN ("mysqldump", "pg_dump", "sqlcmd") OR file.name IN ("/var/lib/mysql/*.sql", "/var/lib/postgresql/*.dump")
**Scenario: Malware Analysis or