Look for SHA1 constants

Hunt Hypothesis

The detection rule identifies potential adversary activity by searching for hardcoded SHA1 hashes, which may indicate the presence of malicious payloads or known malicious files. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy malware or unauthorized artifacts that evade traditional detection methods.

YARA Rule

rule SHA1_Constants {
	meta:
		author = "phoul (@phoul)"
		description = "Look for SHA1 constants"
		date = "2014-01"
		version = "0.1"
	strings:
		$c0 = { 67452301 }
		$c1 = { EFCDAB89 }
		$c2 = { 98BADCFE }
		$c3 = { 10325476 }
		$c4 = { C3D2E1F0 }
		$c5 = { 01234567 }
		$c6 = { 89ABCDEF }
		$c7 = { FEDCBA98 }
		$c8 = { 76543210 }
		$c9 = { F0E1D2C3 }
		//added by _pusher_ 2016-07 - last round
		$c10 = { D6C162CA }
	condition:
		5 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using sha1sum to verify the integrity of a downloaded software package.
  Filter/Exclusion: Exclude processes related to sha1sum or any command-line tools used for file integrity checks.

• Scenario: A scheduled job runs a script that generates SHA1 hashes for backup files as part of a data validation process.
  Filter/Exclusion: Exclude processes associated with backup tools like rsync, tar, or backup-agent and filter by known backup directories.

• Scenario: A developer is using a code linter or static analysis tool (e.g., eslint, SonarQube) that internally uses SHA1 for some internal hashing or artifact management.
  Filter/Exclusion: Exclude processes running under development tools or linters, or filter by specific tool names and user accounts.

• Scenario: A security tool like OSSEC or Tripwire generates SHA1 hashes as part of its configuration or rule management.
  Filter/Exclusion: Exclude processes related to security tools and their configuration directories, or filter by known security tool binaries.

• Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses SHA1 hashes to verify artifact integrity during deployment.
  Filter/Exclusion: Exclude processes associated with CI/CD tools and their job directories, or filter by known CI/CD agent processes.