The detection rule identifies potential use of the Flate compression method, which may indicate obfuscation or data encoding techniques used by adversaries to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malicious activity that could be used to hide payloads or exfiltrate data.
YARA Rule
rule FlateDecode_wrong_version : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "Flate was introduced in v1.2"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
$js = /\/FlateDecode/
$ver = /%PDF-1\.[2-9]/
condition:
$magic in (0..1024) and $js and not $ver
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using flate to compress log files as part of a routine log rotation process.
Filter/Exclusion: process.name != "flate" or process.parent.name != "logrotate"
Scenario: A scheduled job runs a script that uses flate to generate compressed reports for internal use.
Filter/Exclusion: process.name != "flate" or process.args != "generate_report.sh"
Scenario: A developer is using flate as part of a CI/CD pipeline to compress artifacts before deployment.
Filter/Exclusion: process.parent.name != "jenkins" or process.parent.name != "gitlab-runner"
Scenario: A database administrator is using flate to compress backup files stored in a shared network drive.
Filter/Exclusion: process.args != "backup_db.sh" or process.parent.name != "backup_scheduler"
Scenario: An IT support team is using flate to compress user data during a migration to a new storage system.
Filter/Exclusion: process.args != "migrate_data.sh" or process.parent.name != "migration_tool"