The detection rule identifies the use of the Random function, which may indicate an adversary attempting to obfuscate or generate unpredictable values for malicious purposes. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover potential evasion tactics or automated tools used in advanced persistent threats.
YARA Rule
rule Unknown_Random {
meta:
author = "_pusher_"
description = "Look for Random function"
date = "2016-07"
strings:
$c0 = { 55 8B EC 52 8B 45 08 69 15 ?? ?? ?? ?? 05 84 08 08 42 89 15 ?? ?? ?? ?? F7 E2 8B C2 5A C9 C2 04 00 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled Job Generating Random Values for Testing
Description: A system administrator runs a scheduled job to generate random values for load testing or stress testing.
Filter/Exclusion: Exclude processes associated with load testing tools like JMeter, Locust, or Apache Bench by checking the process name or command line arguments.
Scenario: Random Password Generation for User Accounts
Description: An admin task involves generating random passwords for new user accounts using a script or password manager.
Filter/Exclusion: Exclude processes related to password management tools like HashiCorp Vault, LastPass, or 1Password by checking the process name or user context.
Scenario: Random Data Generation for Data Masking
Description: A data masking tool is used to anonymize datasets by replacing values with random ones during data migration or testing.
Filter/Exclusion: Exclude processes associated with data masking tools like Delphix, Informatica, or Talend by checking the process name or command line arguments.
Scenario: Random Number Generation for Cryptographic Purposes
Description: A cryptographic service or key management system generates random numbers for secure key generation.
Filter/Exclusion: Exclude processes related to cryptographic tools like OpenSSL, Cryptographic Services (CSP), or Key Management Interoperability Protocol (KMIP) by checking the process name or user context.
Scenario: Randomization in Analytics or Reporting Tools
Description: A reporting tool or analytics platform uses randomization for data sampling or visualization.
Filter/Exclusion: Exclude processes related to analytics tools like Tableau, Power BI, or Grafana by checking the process name or command line arguments.