3102 Identifying Strings

Hunt Hypothesis

Adversaries may use suspicious strings to exfiltrate data or execute malicious payloads, which could indicate initial compromise. SOC teams should proactively hunt for these strings in Azure Sentinel to identify potential early-stage threats and prevent further lateral movement.

YARA Rule

rule APT3102Strings
{
    
    meta:
        description = "3102 Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-25"

    strings:
        $ = "rundll32_exec.dll\x00Update"
        // this is in the encrypted code - shares with 9002 variant
        //$ = "POST http://%ls:%d/%x HTTP/1.1"

    condition:
       any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to generate a report with the string “Identifying Strings” as part of a script comment or log message.
  Filter/Exclusion: Exclude events where the source process is powershell.exe and the event description contains “report” or “script comment”.

• Scenario: A scheduled job runs nightly using SQL Server Agent to clean up temporary files, and the job name includes the string “Identifying Strings”.
  Filter/Exclusion: Exclude events where the process name is sqlagent.exe and the job name contains “scheduled job” or “cleanup”.

• Scenario: A log management tool like Splunk is configured to index logs with a custom field named “Identifying Strings” for metadata purposes.
  Filter/Exclusion: Exclude events where the source is splunkd or the log source is a known log management system.

• Scenario: A backup job using Veeam Backup & Replication generates a log entry that includes the string “Identifying Strings” as part of its progress message.
  Filter/Exclusion: Exclude events where the process name is veeam.exe and the log message contains “backup” or “progress”.

• Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender generates a log entry with the string “Identifying Strings” as part of its internal diagnostic messages.
  Filter/Exclusion: Exclude events where the source is a known endpoint security tool (e.g., falcon.exe, mpsvc.exe) or the log contains “diagnostic” or “internal”.