Adversaries may use a list of prime numbers as part of a covert communication or obfuscation technique to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy data exfiltration or command-and-control activities that leverage mathematical patterns to avoid traditional signature-based detection.
YARA Rule
rule Prime_Constants_char {
meta:
author = "_pusher_"
description = "List of primes [char]"
date = "2016-07"
strings:
$c0 = { 03 05 07 0B 0D 11 13 17 1D 1F 25 29 2B 2F 35 3B 3D 43 47 49 4F 53 59 61 65 67 6B 6D 71 7F 83 89 8B 95 97 9D A3 A7 AD B3 B5 BF C1 C5 C7 D3 DF E3 E5 E9 EF F1 FB }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System inventory scan using Microsoft System Center Configuration Manager (SCCM)
Filter/Exclusion: Exclude events related to SCCM inventory collection by checking the source or event ID (e.g., event ID 10000 or source “SMS Executive”).
Scenario: Windows Update Agent performing a background check for updates
Filter/Exclusion: Exclude events with source “Windows Update” or filter by event ID 19 (for update detection).
Scenario: PowerShell script running a prime number check as part of a math or algorithm test
Filter/Exclusion: Exclude processes with the command line containing “prime” or “math test” or filter by user account (e.g., a test user).
Scenario: Scheduled Task running a script that generates prime numbers for data validation
Filter/Exclusion: Exclude tasks with a specific task name or path (e.g., “DataValidationScript”) or filter by the user account that runs the task.
Scenario: Log management tool (e.g., Splunk, ELK Stack) indexing logs that include prime numbers in timestamps or metadata
Filter/Exclusion: Exclude logs from specific log sources or filter by log type (e.g., “system logs” or “application logs”).