The detection rule identifies the use of the Random function, which may indicate an adversary attempting to obfuscate or generate unpredictable values for malicious purposes. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover potential evasion tactics or data manipulation attempts by threat actors.
YARA Rule
rule VC8_Random {
meta:
author = "_pusher_"
description = "Look for Random function"
date = "2016-01"
version = "0.1"
strings:
$c0 = { E8 ?? ?? ?? ?? 8B 48 14 69 C9 FD 43 03 00 81 C1 C3 9E 26 00 89 48 14 8B C1 C1 E8 10 25 FF 7F 00 00 C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to generate a random password for a new user account.
Filter/Exclusion: Exclude processes initiated by the Administrator user or those containing the string "New-LocalUser" or "GeneratePassword".
Scenario: A scheduled job runs a script that uses the Random function to simulate random data for testing purposes.
Filter/Exclusion: Exclude processes associated with the Task Scheduler service or those containing the string "TestData" or "SimulateRandom".
Scenario: A DevOps engineer is using Python to generate random UUIDs for temporary test environments.
Filter/Exclusion: Exclude processes running under a devops user or those containing the string "uuid.uuid4" or "test_env".
Scenario: A database administrator is using SQL Server’s RAND() function to generate random sample data for reporting.
Filter/Exclusion: Exclude queries executed by the sa user or those containing the string "RAND()” or "sample_data".
Scenario: A security analyst is using Splunk to generate random values for a simulation during a red team exercise.
Filter/Exclusion: Exclude events with the source type splunk_simulated or those containing the string "red_team" or "simulate_random".