FlashNewfunction

Hunt Hypothesis

The FlashNewfunction rule detects the potential creation of new functions in a system, which could indicate the execution of malicious or unauthorized code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify suspicious activity that may evade traditional detection methods.

YARA Rule

rule FlashNewfunction: decodedPDF
{
   meta:  
      ref = "CVE-2010-1297"
      hide = true
      impact = 5 
      ref = "http://blog.xanda.org/tag/jsunpack/"
   strings:
      $unescape = "unescape" fullword nocase
      $shellcode = /%u[A-Fa-f0-9]{4}/
      $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
      $cve20101297 = /\/Subtype ?\/Flash/
   condition:
      ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate software update via SCCM
  Description: A legitimate software update is deployed using Microsoft System Center Configuration Manager (SCCM), which may include a file matching the FlashNewfunction YARA rule.
  Filter/Exclusion: Check the file’s digital signature and verify it against known SCCM update packages. Use a filter like process.name == "msiexec.exe" AND file.hash == "known_sccm_update_hash".

• Scenario: Scheduled backup job using Veeam
  Description: A scheduled backup job initiated by Veeam Backup & Replication may generate files that match the FlashNewfunction rule due to temporary extraction or processing.
  Filter/Exclusion: Filter by process name veeambackup.exe and check for presence in known backup directories (e.g., C:\ProgramData\Veeam\Backup). Use a filter like process.name == "veeambackup.exe" AND file.path contains "Veeam".

• Scenario: Admin task using PowerShell for system cleanup
  Description: An administrator may use PowerShell scripts to clean up temporary files or registry entries, which could generate files matching the FlashNewfunction rule.
  Filter/Exclusion: Filter by process name powershell.exe and check for presence in known admin scripts or directories (e.g., C:\Windows\System32\WindowsPowerShell\v1.0). Use a filter like process.name == "powershell.exe" AND file.path contains "WindowsPowerShell".

• Scenario: Legitimate file extraction by 7-Zip or WinRAR
  Description: A user may extract files using 7-Zip or WinRAR, which could result in files that match the FlashNewfunction rule.
  Filter/Exclusion: Filter by process name 7z.exe or RAR.exe and check for presence in known