The rule detects potential adversarial activity involving the execution of a suspicious file with a cryptic name, possibly indicating a file obfuscation or evasion technique. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may bypass traditional detection methods.
YARA Rule
rule sig_2fb404bdcebc7acbeb598f8a2ddbecf48c60b113 {
meta:
description = "Auto-generated rule - file 2fb404bdcebc7acbeb598f8a2ddbecf48c60b113.codex"
author = "YarGen Rule Generator"
reference = "not set"
date = "2016-07-21"
hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"
strings:
$s1 = ":%:0:;:F:Q:\\:p:|:" fullword ascii
$s2 = "6.666>6F6N6V6^6f6n6v6~6" fullword ascii
$s3 = "6!6(6/666=6D6K6R6Y6r6:7" fullword ascii
$s4 = "1t83jL.bjG" fullword ascii
$s5 = "6!61666V6]6p6" fullword ascii
$s6 = "2%2D2P2`2p2|2" fullword ascii
$s7 = "42494@4G4N4U4\\4c4j4q4x4" fullword ascii
$s8 = "9+92999@9G9N9U9\\9c9j9q9x9" fullword ascii
$s9 = "4!4&43484E4J4W4\\4i4n4s4" fullword ascii
$s10 = "5$5+52595@5G5N5U5\\5c5j5q5" fullword ascii
$s11 = "1.252<2C2J2Q2X2_2f2m2t2{2" fullword ascii
$s12 = "8 8%818:8?8K8Q8V8b8h8m8y8" fullword ascii
$s13 = "9'93989=9B9K9P9U9Z9c9n9s9" fullword ascii
$s14 = ":\":':,:8:=:B:R:Z:`:e:v:}:" fullword ascii
$s15 = "=#=(=4=:=?=K=Q=V=b=k=p=|=" fullword ascii
$s16 = "= =*=1=8=?=F=M=T=[=b=i=p=w=~=" fullword ascii
$s17 = "3&3-343;3B3I3P3W3^3e3l3s3z3" fullword ascii
$s18 = ":!:(:/:6:=:I:N:S:`:f:k:x:~:" fullword ascii
$s19 = "cMDkAjy=" fullword ascii
$s20 = "=#=/=4=9=E=J=O=[=`=e=q=v={=" fullword ascii
$op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */
$op1 = { 3c ee 42 00 c7 84 24 8c } /* Opcode */
$op2 = { a1 e0 79 44 00 83 c4 0c ff 74 24 1c ff 90 3c 01 } /* Opcode */
condition:
( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 23 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a software update.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name == "task scheduler" to exclude legitimate scheduled tasks.
Scenario: A database administrator is running a SQL Server Agent Job that generates temporary files in the system directory.
Filter/Exclusion: process.name != "sqlservr.exe" or process.parent.name == "sqlagent.exe" to exclude known database maintenance tasks.
Scenario: A DevOps engineer is using Ansible to deploy configuration files to multiple servers, which results in file creation in monitored directories.
Filter/Exclusion: process.name != "ansible" or process.parent.name == "systemd" to exclude Ansible automation tasks.
Scenario: A user is using 7-Zip to extract a compressed archive containing multiple files, which triggers file creation in a monitored directory.
Filter/Exclusion: process.name != "7z.exe" or process.parent.name == "explorer.exe" to exclude legitimate archive extraction activities.
Scenario: A system update is being applied via Windows Update that creates temporary files in the system directory.
Filter/Exclusion: process.name != "wuauserv.exe" or process.parent.name == "svchost.exe" to exclude Windows Update-related file operations.