Match Windows Http API call

Hunt Hypothesis

Adversaries may use Windows Http API calls to exfiltrate data or establish covert communication channels. SOC teams should proactively hunt for these calls in Azure Sentinel to identify potential data exfiltration or command-and-control activities that evade traditional detection methods.

YARA Rule

rule Str_Win32_Http_API
{
    meta:
        author = "@adricnet"
        description = "Match Windows Http API call"
        method = "String match, trim the As"
        reference = "https://github.com/dfirnotes/rules"

    strings:
        $wininet_call_httpr = "HttpSendRequest"
        $wininet_call_httpq = "HttpQueryInfo"
        $wininet_call_httpo = "HttpOpenRequest"

     condition:
        (any of ($wininet_call_http*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/dfirnotes/rules
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled job that makes a legitimate HTTP request to a public API for system monitoring.
  Filter/Exclusion: Exclude PowerShell scripts executed by the System or Administrator user, or filter by the script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).

• Scenario: A Windows Update process is making an HTTP request to Microsoft’s update servers as part of the standard patching process.
  Filter/Exclusion: Exclude processes associated with Windows Update (e.g., wuauserv.exe, svchost.exe with wuauserv service), or filter by the URL pattern matching Microsoft update endpoints.

• Scenario: A remote management tool like Microsoft Intune or Microsoft Endpoint Manager is making HTTP calls to its backend services for device policy synchronization.
  Filter/Exclusion: Exclude traffic from known Intune or Microsoft Endpoint Manager services, or filter by source IP or destination domain associated with Microsoft’s management services.

• Scenario: A scheduled task is configured to fetch data from an internal API for reporting purposes, such as pulling logs from a central logging server.
  Filter/Exclusion: Exclude tasks scheduled by Task Scheduler with known internal service accounts, or filter by URL matching internal API endpoints.

• Scenario: A network monitoring tool like Wireshark or Microsoft Network Monitor is capturing and analyzing HTTP traffic for diagnostic purposes.
  Filter/Exclusion: Exclude processes associated with Wireshark, Microsoft Network Monitor, or other packet capture tools, or filter by process name or user context.