The detection rule identifies the use of the Random function, which may indicate an adversary attempting to obfuscate or generate unpredictable values for evasion or data manipulation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malicious activity that could be used to bypass controls or exfiltrate data undetected.
YARA Rule
rule VC6_Random {
meta:
author = "_pusher_"
description = "Look for Random function"
date = "2016-02"
strings:
$c0 = { A1 ?? ?? ?? ?? 69 C0 FD 43 03 00 05 C3 9E 26 00 A3 ?? ?? ?? ?? C1 F8 10 25 FF 7F 00 00 C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to generate a random password for a new user account.
Filter/Exclusion: Exclude processes initiated by the Administrator user or those containing the string "New-LocalUser" or "GeneratePassword".
Scenario: A scheduled job runs a script that uses the Random function to simulate random data for testing purposes.
Filter/Exclusion: Exclude processes associated with the task scheduler (e.g., schtasks.exe) or scripts located in a known test directory (e.g., C:\Testing\).
Scenario: A DevOps engineer is using Python to generate random UUIDs for temporary files during a deployment.
Filter/Exclusion: Exclude processes running under a DevOps user account or those with a command line containing "uuid.uuid4" or "random.uuid".
Scenario: A database administrator is using SQL Server’s RAND() function to generate random sample data for reporting.
Filter/Exclusion: Exclude queries executed by the sa account or those containing the keyword "RAND()” in the SQL query text.
Scenario: A security tool like Splunk is generating random identifiers for log entries during data anonymization.
Filter/Exclusion: Exclude processes associated with Splunk (splunkd.exe) or those running under a service account used for log processing.