RTF files may be used to deliver malicious payloads through embedded macros, making them a potential vector for initial compromise. SOC teams should proactively hunt for RTF file activity in Azure Sentinel to identify and mitigate potential phishing or malware delivery attempts.
YARA Rule
rule RTFFILE {
meta:
description = "Detects RTF files"
condition:
uint32be(0) == 0x7B5C7274
}This YARA rule can be deployed in the following contexts:
Scenario: A user is generating RTF files for document collaboration using Microsoft Word or LibreOffice.
Filter/Exclusion: Exclude files created by known word processors using the file_type field or check the process_name for winword.exe or libreoffice.exe.
Scenario: A scheduled backup job is exporting configuration files in RTF format using Veeam Backup & Replication or Commvault.
Filter/Exclusion: Exclude files with a file_extension of .rtf that are generated by backup tools, using a custom field or tag like backup_job_id.
Scenario: An administrative task is using PowerShell to generate RTF reports for internal use.
Filter/Exclusion: Exclude files created by PowerShell scripts using the process_name field with powershell.exe and a custom tag like internal_reporting.
Scenario: A system log parser is converting log entries into RTF format for archival using Splunk or ELK Stack.
Filter/Exclusion: Exclude files with a file_type of rtf that are generated by log parsing tools, using a tool_name field or a custom tag like log_parser.
Scenario: A third-party application like Adobe FrameMaker is exporting documentation in RTF format.
Filter/Exclusion: Exclude files created by specific applications using the process_name field, such as FrameMaker.exe, or by checking the file_creation_tool field.