multiple filtering

Hunt Hypothesis

Adversaries may use multiple filtering techniques to evade detection, indicating potential malware or payloads designed to bypass security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.

YARA Rule

rule multiple_filtering : PDF raw
{
meta: 
author = "Glenn Edwards (@hiddenillusion)"
version = "0.2"
weight = 3

    strings:
            $magic = { 25 50 44 46 }
            $attrib = /\/Filter.*(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ 
            // left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt

    condition: 
            $magic in (0..1024) and $attrib
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Tasks
  Description: A legitimate scheduled task runs a script that filters network traffic using iptables or firewall-cmd as part of routine system maintenance.
  Filter/Exclusion: Exclude processes initiated by cron or task scheduler with known maintenance scripts (e.g., /etc/cron.daily/ or C:\Windows\tasks\).

• Scenario: Email Gateway Filtering with SpamAssassin
  Description: The email gateway uses SpamAssassin to filter incoming emails, which may involve multiple filtering rules and payloads that resemble malware behavior.
  Filter/Exclusion: Exclude processes related to spamassassin or amavisd-new running in the email gateway environment (e.g., amavisd or spamassassin processes with known email filtering signatures).

• Scenario: Endpoint Protection Rule Updates
  Description: An endpoint protection tool (e.g., CrowdStrike, SentinelOne) performs a rule update that includes multiple filtering mechanisms to enhance detection capabilities.
  Filter/Exclusion: Exclude processes associated with endpoint security tools (e.g., crowdstrike or sentinelone) during scheduled rule updates or signature database synchronization.

• Scenario: Network Traffic Shaping with Traffic Control (tc)
  Description: Network administrators use tc (Traffic Control) in Linux to shape traffic, which may involve multiple filtering and queuing disciplines that could trigger the rule.
  Filter/Exclusion: Exclude processes running tc with known administrative commands (e.g., tc qdisc add, tc filter add) executed by privileged users or system maintenance scripts.

• Scenario: Log Analysis with ELK Stack
  Description: The ELK stack (Elasticsearch, Logstash, Kibana) processes logs using multiple filtering and parsing rules, which may resemble malware