The detection identifies potential adversary behavior where malicious files are embedded within legitimate software updates, leveraging the introduction of embedded files in version 1.3 to evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate covert data exfiltration or persistence mechanisms that may go undetected by standard monitoring tools.
YARA Rule
rule embed_wrong_version : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "EmbeddedFiles were introduced in v1.3"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
$embed = /\/EmbeddedFiles/
$ver = /%PDF-1\.[3-9]/
condition:
$magic in (0..1024) and $embed and not $ver
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a new application, which includes embedding configuration files using Set-Content or Out-File commands.
Filter/Exclusion: Exclude files created by PowerShell scripts with a known deployment pattern, e.g., ProcessName == "powershell.exe" AND CommandLine LIKE "%-File%"
Scenario: A scheduled job runs nightly to archive logs using a script that embeds log data into a compressed file (e.g., ZIP or TAR) for storage.
Filter/Exclusion: Exclude files generated by scheduled tasks with a known pattern, e.g., ProcessName == "schtasks.exe" OR FileName == "archive_logs.ps1"
Scenario: A configuration management tool like Ansible or Chef is used to push configuration files to multiple servers, which may include embedded content in the playbook or recipe files.
Filter/Exclusion: Exclude files with known configuration management extensions, e.g., FileName == "*.yml" OR FileName == "*.rb"
Scenario: An IT admin is using Windows Task Scheduler to run a script that generates a report with embedded data for internal use, such as a CSV or XML file.
Filter/Exclusion: Exclude files created by Task Scheduler jobs, e.g., ProcessName == "schtasks.exe" OR FileName == "generate_report.bat"
Scenario: A development team uses Git to manage source code, and during a CI/CD pipeline, embedded files (like images or assets) are included in the repository and checked in as part of the build process.
Filter/Exclusion: Exclude files with known asset extensions or those in a specific directory, e.g., FileName == "*.png" OR FileName == "*.jpg" OR Path == "assets/"