JBIG2 was introduced in v1.4

Hunt Hypothesis

The detection of JBIG2 in an environment may indicate the presence of obfuscated or compressed malicious payloads leveraging an older, less scrutinized encoding format. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware or data exfiltration attempts that evade traditional detection methods.

YARA Rule

rule JBIG2_wrong_version : PDF raw
{
	meta:
		author = "Glenn Edwards (@hiddenillusion)"
		description = "JBIG2 was introduced in v1.4"
		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
		version = "0.1"
		weight = 1
		
        strings:
                $magic = { 25 50 44 46 }
				$js = /\/JBIG2Decode/
				$ver = /%PDF-1\.[4-9]/

        condition:
                $magic in (0..1024) and $js and not $ver
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system update or patch deployment using Ansible or Chef that includes JBIG2-compliant image processing tools.
  Filter/Exclusion: Exclude events where the JBIG2 file is part of a known system update or package installation (e.g., process.name contains “ansible” or “chef”).

• Scenario: A scheduled backup job using Veeam or Commvault that processes documents with embedded JBIG2 images.
  Filter/Exclusion: Exclude events where the file is part of a backup process (e.g., process.name contains “veeam” or “commvault”).

• Scenario: A log analysis tool like ELK Stack or Splunk that generates temporary files with JBIG2 encoding during data processing.
  Filter/Exclusion: Exclude events where the file is generated by log analysis tools (e.g., process.name contains “elasticsearch” or “splunk”).

• Scenario: Administrative task involving PowerShell or Batch scripts that manipulate or convert image files using JBIG2 compression.
  Filter/Exclusion: Exclude events where the process is initiated by a known administrative script (e.g., process.name contains “powershell” or “cmd.exe” with specific command-line arguments).

• Scenario: Email client like Microsoft Outlook or Thunderbird that embeds JBIG2 images in email attachments during normal use.
  Filter/Exclusion: Exclude events where the file is an email attachment (e.g., process.name contains “outlook” or “thunderbird” and file.path contains “attachments”).