Adversaries may embed malicious executables within non-executable files to evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware delivery methods that bypass traditional file-based detection.
YARA Rule
rule Embedded_EXE_Cloaking : maldoc {
meta:
description = "Detects an embedded executable in a non-executable file"
author = "Florian Roth"
date = "2015/02/27"
score = 80
strings:
$noex_png = { 89 50 4E 47 }
$noex_pdf = { 25 50 44 46 }
$noex_rtf = { 7B 5C 72 74 66 31 }
$noex_jpg = { FF D8 FF E0 }
$noex_gif = { 47 49 46 38 }
$mz = { 4D 5A }
$a1 = "This program cannot be run in DOS mode"
$a2 = "This program must be run under Win32"
condition:
(
( $noex_png at 0 ) or
( $noex_pdf at 0 ) or
( $noex_rtf at 0 ) or
( $noex_jpg at 0 ) or
( $noex_gif at 0 )
)
and
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: A system update package (e.g., Microsoft Windows Update) contains a legitimate embedded executable for patching purposes.
Filter/Exclusion: Check for known update packages (e.g., C:\Windows\Temp\WindowsUpdate*) or use a file hash whitelist for known safe embedded files.
Scenario: A backup job (e.g., Veeam or Acronis) includes a script or executable as part of its configuration or metadata.
Filter/Exclusion: Exclude files from known backup directories (e.g., C:\ProgramData\Veeam\Backup) or filter by file path patterns associated with backup tools.
Scenario: A system administrator uses a tool like PowerShell or Task Scheduler to run a script that includes an embedded executable for automation.
Filter/Exclusion: Exclude files with known administrative tools or scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\*) or filter by process name or user context (e.g., user=Administrator).
Scenario: A legitimate software installation package (e.g., Adobe Acrobat or Java JRE) includes embedded executables for runtime or installation purposes.
Filter/Exclusion: Use a file hash or signature whitelist for known software installers (e.g., Adobe*, Java*) or filter by file path patterns associated with software distribution.
Scenario: A scheduled task (e.g., via Task Scheduler) runs a script that includes an embedded executable for maintenance or monitoring.
Filter/Exclusion: Exclude files associated with scheduled tasks (e.g., C:\Windows\Tasks\*) or filter by task name or execution context (e.g., taskname=SystemMaintenance).