maldoc suspicious strings

Hunt Hypothesis

The hypothesis is that the presence of suspicious strings in a document may indicate the use of a malicious document to deliver payloads or execute malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware delivery vectors early and prevent lateral movement or data exfiltration.

YARA Rule

rule maldoc_suspicious_strings : maldoc
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
    strings:
        $a01 = "CloseHandle"
        $a02 = "CreateFile"
        $a03 = "GetProcAddr"
        $a04 = "GetSystemDirectory"
        $a05 = "GetTempPath"
        $a06 = "GetWindowsDirectory"
        $a07 = "IsBadReadPtr"
        $a08 = "IsBadWritePtr"
        $a09 = "LoadLibrary"
        $a10 = "ReadFile"
        $a11 = "SetFilePointer"
        $a12 = "ShellExecute"
        $a13 = "UrlDownloadToFile"
        $a14 = "VirtualAlloc"
        $a15 = "WinExec"
        $a16 = "WriteFile"
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 16 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate script that includes strings matching the YARA rule (e.g., Invoke-WebRequest, IEX).
  Filter/Exclusion: Check for ProcessName == "powershell.exe" and CommandLine contains "deploy-script.ps1" or User == "admin"

• Scenario: A scheduled job runs a Python script (e.g., python3 script.py) that uses requests to fetch a legitimate API response, which includes base64 or hex encoded strings that match the YARA rule.
  Filter/Exclusion: Filter by ProcessName == "python" and CommandLine contains "script.py" or User == "service_account"

• Scenario: A log management tool like ELK Stack or Splunk is parsing log files and includes base64 or hex encoded data in log messages, triggering the YARA rule.
  Filter/Exclusion: Filter by ProcessName == "logstash" or ProcessName == "splunkd" and check for EventID == "log-parsing"

• Scenario: A system update task using WSUS or Windows Update includes a payload that contains encoded strings matching the YARA rule during the update process.
  Filter/Exclusion: Filter by ProcessName == "wusa.exe" or ProcessName == "wuauclt.exe" and check for CommandLine contains "update"

• Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) runs a build script that includes encoded strings for artifact transfer, which matches the YARA rule.
  Filter/Exclusion: Filter by ProcessName == "java" or ProcessName == "node" and check for `CommandLine contains “ci