The hypothesis is that an adversary may be creating suspicious artifacts or files to establish persistence or exfiltrate data. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential initial compromise or lateral movement tactics early.
YARA Rule
rule suspicious_creation : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$create0 = /CreationDate \(D:20101015142358\)/
$create1 = /CreationDate \(2008312053854\)/
condition:
$magic in (0..1024) and $header and 1 of ($create*)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System update or patch installation using Windows Update or Group Policy
Filter/Exclusion: Check for process parent or command line containing wuauclt.exe, gpupdate.exe, or msiexec with known update package names.
Scenario: Scheduled job execution via Task Scheduler for routine maintenance
Filter/Exclusion: Filter processes with parent process schtasks.exe or check for command lines containing schtasks /run or known job names like DailyBackup.
Scenario: Logon session creation during normal user authentication
Filter/Exclusion: Exclude processes with parent lsass.exe or check for user context matching known domain users or service accounts.
Scenario: Database backup initiated by a scheduled job or DBMS tool like SQL Server Agent
Filter/Exclusion: Filter processes with parent sqlservr.exe or command lines containing sqlbackup or backup commands.
Scenario: System configuration tool like PowerShell or Command Prompt used by an admin for routine system configuration
Filter/Exclusion: Exclude processes with parent explorer.exe or command lines containing powershell.exe with known admin scripts or cmd.exe with documented administrative tasks.