An adversary may be exfiltrating data through incremental file updates to maintain persistence and avoid detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts and disrupt ongoing malicious activity.
YARA Rule
rule multiple_versions : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed"
weight = 1
strings:
$magic = { 25 50 44 46 }
$s0 = "trailer"
$s1 = "%%EOF"
condition:
$magic in (0..1024) and #s0 > 1 and #s1 > 1
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to update a configuration file with new settings via a script.
Filter/Exclusion: Check for the presence of PowerShell in the process name or command line, and exclude files in known admin directories like C:\Windows\System32\ or C:\Program Files\.
Scenario: A scheduled task (e.g., using schtasks.exe) is running a legitimate maintenance script that modifies a log file.
Filter/Exclusion: Filter by process name schtasks.exe and exclude files in the C:\Windows\Tasks\ directory or those with a .bat or .ps1 extension.
Scenario: A backup tool like Veeam or Commvault is performing a file integrity check and updating metadata.
Filter/Exclusion: Exclude files with extensions like .vbm, .vmdk, or .log, and filter by process names such as VeeamBackup.exe or Commvault.exe.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to update a configuration file for a database instance.
Filter/Exclusion: Check for process names like sqlservr.exe or ssms.exe, and exclude files in the C:\Program Files\Microsoft SQL Server\ directory.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is deploying code and updating configuration files in a development environment.
Filter/Exclusion: Exclude files in directories like C:\jenkins\workspace\ or C:\Users\dev\, and filter by process names such as java.exe or dotnet.exe.