Adversaries may encode malicious PE files within sequences of numbers to evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware delivery methods that bypass traditional file-based detection.
YARA Rule
rule Contains_hidden_PE_File_inside_a_sequence_of_numbers : maldoc
{
meta:
author = "Martin Willing (https://evild3ad.com)"
description = "Detect a hidden PE file inside a sequence of numbers (comma separated)"
reference = "http://blog.didierstevens.com/2016/01/07/blackenergy-xls-dropper/"
reference = "http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/"
date = "2016-01-09"
filetype = "decompressed VBA macro code"
strings:
$a = "= Array(" // Array of bytes
$b = "77, 90," // MZ
$c = "33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46," // !This program cannot be run in DOS mode.
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system backup job exports a list of file IDs in a comma-separated format, which coincidentally matches the pattern of a hidden PE file.
Filter/Exclusion: Exclude files generated by backup tools like Veeam, Commvault, or Veritas NetBackup by checking the process name or command line arguments.
Scenario: A scheduled task runs a script that generates a comma-separated list of numeric values for log parsing, which resembles a hidden PE file signature.
Filter/Exclusion: Exclude entries from scripts or tasks associated with log management tools like Splunk, ELK Stack, or Graylog by checking the parent process or script name.
Scenario: An administrator uses a tool like PowerShell or Python to generate a list of numeric IDs for internal tracking, which triggers the rule.
Filter/Exclusion: Exclude entries where the source process is powershell.exe or python.exe and the command line includes known tracking or logging scripts.
Scenario: A legitimate software update process generates a temporary file containing numeric IDs in a comma-separated format, which matches the rule’s pattern.
Filter/Exclusion: Exclude files created by update tools like Chocolatey, WSUS, or Microsoft Update by checking the file path or parent process.
Scenario: A system monitoring tool like Nagios or Zabbix outputs numeric metrics in a comma-separated format, which is misinterpreted as a hidden PE file.
Filter/Exclusion: Exclude entries from monitoring tools by checking the process name or using a custom field like tool_name in the event data.