The detection rule identifies potential adversary behavior through the generation of prime numbers, which may indicate obfuscation or encoding techniques used to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy malware or data exfiltration activities that rely on mathematical patterns to remain undetected.
YARA Rule
rule Prime_Constants_long {
meta:
author = "_pusher_"
description = "List of primes [long]"
date = "2016-07"
strings:
$c0 = { 03 00 00 00 05 00 00 00 07 00 00 00 0B 00 00 00 0D 00 00 00 11 00 00 00 13 00 00 00 17 00 00 00 1D 00 00 00 1F 00 00 00 25 00 00 00 29 00 00 00 2B 00 00 00 2F 00 00 00 35 00 00 00 3B 00 00 00 3D 00 00 00 43 00 00 00 47 00 00 00 49 00 00 00 4F 00 00 00 53 00 00 00 59 00 00 00 61 00 00 00 65 00 00 00 67 00 00 00 6B 00 00 00 6D 00 00 00 71 00 00 00 7F 00 00 00 83 00 00 00 89 00 00 00 8B 00 00 00 95 00 00 00 97 00 00 00 9D 00 00 00 A3 00 00 00 A7 00 00 00 AD 00 00 00 B3 00 00 00 B5 00 00 00 BF 00 00 00 C1 00 00 00 C5 00 00 00 C7 00 00 00 D3 00 00 00 DF 00 00 00 E3 00 00 00 E5 00 00 00 E9 00 00 00 EF 00 00 00 F1 00 00 00 FB 00 00 00 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System update or patching process using wsusutil.exe
Filter/Exclusion: process.exe == "wsusutil.exe"
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: process.name == "vbm.exe" || process.name == "vbackup.exe"
Scenario: Admin task to generate prime numbers for cryptographic testing using Python script
Filter/Exclusion: process.name == "python.exe" && process.args contains "prime_generator.py"
Scenario: Log analysis tool like ELK Stack processing logs with numeric fields
Filter/Exclusion: process.name == "java.exe" && process.args contains "elasticsearch"
Scenario: Database query execution using SQL Server Management Studio (SSMS)
Filter/Exclusion: process.name == "sqlservr.exe" || process.name == "ssms.exe"