malicious author

Hunt Hypothesis

Files associated with Glenn Edwards’ malicious campaigns may indicate a targeted attack leveraging known indicators of compromise, making proactive hunting critical to identify and disrupt potential adversarial activity in Azure Sentinel. SOC teams should prioritize this hunt to detect early-stage threats from a specific adversary and prevent lateral movement or data exfiltration.

YARA Rule

rule malicious_author : PDF raw
{
	meta:
		author = "Glenn Edwards (@hiddenillusion)"
		version = "0.1"
		weight = 5
		
	strings:
		$magic = { 25 50 44 46 }
		
		$reg0 = /Creator.?\(yen vaw\)/
		$reg1 = /Title.?\(who cis\)/
		$reg2 = /Author.?\(ser pes\)/
	condition:
		$magic in (0..1024) and all of ($reg*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate System Backup Job
  Description: A scheduled backup job (e.g., Veeam Backup & Replication, Commvault, or Veeam Backup for Microsoft 365) is generating files with names or hashes that match the malicious_author rule due to naming conventions or temporary files.
  Filter/Exclusion: Exclude files created by known backup tools or scheduled tasks using the process.name field (e.g., veeam.exe, commvault.exe) or check the file.path against known backup directories.

• Scenario: Admin Task Using Glenn Edwards’ Name for Debugging
  Description: A system administrator may use “Glenn Edwards” as a placeholder or debug name in scripts, logs, or configuration files during troubleshooting or testing.
  Filter/Exclusion: Exclude files or logs where the term “Glenn Edwards” appears in a context that indicates debugging, testing, or administrative use (e.g., process.name matches powershell.exe or cmd.exe with a known admin script).

• Scenario: Email Gateway Quarantine with Sender Name Match
  Description: An email gateway (e.g., Microsoft Exchange Online, Cisco Secure Email Gateway) may quarantine emails from an external sender with the name “Glenn Edwards” due to a false positive match.
  Filter/Exclusion: Exclude emails where the sender is known to be a legitimate contact or where the email domain is verified as safe (e.g., use email.from and email.domain fields to filter out known internal or trusted domains).

• Scenario: File Share Monitoring with Temporary Files
  Description: A file share monitoring tool (e.g., Microsoft OneDrive, Google Drive, or SyncBackSE) may create temporary files with names that match the malicious_author rule during sync operations