suspicious version

Hunt Hypothesis

Files identified by the ‘suspicious_version’ rule may indicate the presence of known malicious variants associated with malware families, as these versions are often used in initial compromise or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage threats and prevent lateral movement or data exfiltration.

YARA Rule

rule suspicious_version : PDF raw
{
	meta:
		author = "Glenn Edwards (@hiddenillusion)"
		version = "0.1"
		weight = 3
		
	strings:
		$magic = { 25 50 44 46 }
		$ver = /%PDF-1.\d{1}/
	condition:
		$magic in (0..1024) and not $ver
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is running a scheduled backup job that uses a known malicious version of a backup tool (e.g., rsync with a malicious version ID).
  Filter/Exclusion: Exclude files with the process name rsync or files executed from the backup directory (e.g., /var/backups/).

• Scenario: A developer is using a legitimate version of a code analysis tool (e.g., SonarQube) that has a known malicious version in its history, but the current version is clean.
  Filter/Exclusion: Exclude files with the process name sonar-scanner or files with a known clean version hash (e.g., sonar-scanner-4.6.1.2110).

• Scenario: A system update task is deploying a known malicious version of a system utility (e.g., sysprep or msiexec) as part of a patching process.
  Filter/Exclusion: Exclude files with the process name msiexec or files signed by a trusted Microsoft publisher.

• Scenario: A security tool (e.g., CrowdStrike Falcon) is using a known malicious version of its own agent for testing or during a security audit.
  Filter/Exclusion: Exclude files with the process name falcon or files associated with the security tool’s internal testing environment.

• Scenario: A DevOps pipeline is deploying a legitimate version of a CI/CD tool (e.g., Jenkins) that has a known malicious version in its version history.
  Filter/Exclusion: Exclude files with the process name java or files executed from the CI/CD pipeline directory (e.g., /opt/jenkins/).