Detects typical strings in a reversed or otherwise modified form

Hunt Hypothesis

Adversaries may reverse or modify known malicious strings to evade signature-based detection, indicating potential command and control or payload execution activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify obfuscated threats that bypass traditional detection mechanisms.

YARA Rule

rule Typical_Malware_String_Transforms {
	meta:
		description = "Detects typical strings in a reversed or otherwise modified form"
		author = "Florian Roth"
		reference = "Internal Research"
		date = "2016-07-31"
		score = 60
	strings:
		/* Executables */
		$e1 = "exe.tsohcvs" fullword ascii
		$e2 = "exe.ssasl" fullword ascii
		$e3 = "exe.rerolpxe" fullword ascii
		$e4 = "exe.erolpxei" fullword ascii
		$e5 = "exe.23lldnur" fullword ascii
		$e6 = "exe.dmc" fullword ascii
		$e7 = "exe.llikksat" fullword ascii

		/* Libraries */
		$l1 = "lld.23lenreK" fullword ascii
		$l2 = "lld.ESABLENREK" fullword ascii
		$l3 = "lld.esabtpyrc" fullword ascii
		$l4 = "lld.trcvsm" fullword ascii
		$l5 = "LLD.LLDTN" fullword ascii

		/* Imports */
		$i1 = "paeHssecorPteG" fullword ascii
		$i2 = "sserddAcorPteG" fullword ascii
		$i3 = "AyrarbiLdaoL" fullword ascii

		/* Registry */
		$r1 = "teSlortnoCtnerruC" fullword ascii
		$r2 = "nuR\\noisreVtnerruC" fullword ascii

		/* Folders */
		$f1 = "\\23metsys\\" ascii
		$f2 = "\\23metsyS\\" ascii
		$f3 = "niB.elcyceR$" fullword ascii
		$f4 = "%tooRmetsyS%" fullword ascii

		/* False Positives */
		$fp1 = "Application Impact Telemetry Static Analyzer" fullword wide
	condition:
		( uint16(0) == 0x5a4d and 1 of them and not 1 of ($fp*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 22 string patterns in its detection logic.

References

• Internal Research
• Source Rule

False Positive Guidance

• Scenario: A system backup job compresses and reverses log files for archival purposes.
  Filter/Exclusion: Exclude processes associated with backup tools like Veeam, Commvault, or Veritas NetBackup using their process names or command-line arguments.

• Scenario: A scheduled administrative task runs a script that reverses strings for data processing or testing.
  Filter/Exclusion: Exclude tasks scheduled via Task Scheduler with known administrative scripts or use a regex to match script names like process_data.ps1 or reverse_strings.sh.

• Scenario: A security tool like OSSEC or Snort performs signature-based detection and reverses strings as part of its heuristic analysis.
  Filter/Exclusion: Exclude processes running under the security tool’s service account or use process names like ossec or snort in the filter.

• Scenario: A developer uses a command-line tool like sed or awk to reverse strings during a data transformation task.
  Filter/Exclusion: Exclude processes with command-line arguments containing sed, awk, or rev and filter by user accounts typically used for development (e.g., dev_user).

• Scenario: A log normalization tool like Logstash or Fluentd reverses strings during log parsing or normalization.
  Filter/Exclusion: Exclude processes running under the log processing service (e.g., logstash or fluentd) or use a filter based on the tool’s unique process name or configuration file paths.