Adversaries may use API hashing techniques to evade signature-based detection when analyzing malicious documents. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware activity that bypasses traditional detection methods.
YARA Rule
rule maldoc_API_hashing : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
$a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using Microsoft Defender for Endpoint to scan a known safe file as part of a routine integrity check.
Filter/Exclusion: Exclude files with the Microsoft Defender process name or files signed by Microsoft.
Scenario: A scheduled backup job is running and temporarily hashes files as part of the backup process.
Filter/Exclusion: Exclude files accessed by the backup service or during specific time windows when backups are scheduled.
Scenario: A software update task using WSUS (Windows Server Update Services) is hashing files during the update process.
Filter/Exclusion: Exclude files associated with the WSUS service or files downloaded from known Microsoft update servers.
Scenario: A third-party endpoint security tool like CrowdStrike or SentinelOne is performing a full system scan and hashing files as part of its analysis.
Filter/Exclusion: Exclude files accessed by the CrowdStrike or SentinelOne process names.
Scenario: A devops pipeline is deploying a new application and temporarily hashes files during the deployment process.
Filter/Exclusion: Exclude files accessed by CI/CD tools like Jenkins, GitLab CI, or Azure DevOps.