suspicious creator

Hunt Hypothesis

The hypothesis is that an adversary may be using a suspicious creator to execute malicious code, leveraging unusual or non-standard creation methods to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential initial compromise vectors that may not be captured by traditional detection methods.

YARA Rule

rule suspicious_creator : PDF raw
{
	meta:
		author = "Glenn Edwards (@hiddenillusion)"
		version = "0.1"
		weight = 3
		
	strings:
		$magic = { 25 50 44 46 }
		$header = /%PDF-1\.(3|4|6)/
		
		$creator0 = "yen vaw"
		$creator1 = "Scribus"
		$creator2 = "Viraciregavi"
	condition:
		$magic in (0..1024) and $header and 1 of ($creator*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using task scheduler to run a legitimate maintenance script (e.g., C:\Windows\System32\wbem\Microsoft.WBEM.Service)
  Filter/Exclusion: Exclude processes created by task scheduler or with command line containing schtasks.exe or at.exe

• Scenario: A database administrator is using SQL Server Agent to schedule a backup job (e.g., C:\Program Files\Microsoft SQL Server\150\Tools\Binn\ManagementStudio\sqlagent.exe)
  Filter/Exclusion: Exclude processes with image file name matching SQL Server Agent or with command line containing sqlagent.exe

• Scenario: A developer is using PowerShell to run a scheduled script (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) as part of a CI/CD pipeline
  Filter/Exclusion: Exclude processes with command line containing powershell.exe and --executionpolicy or --file with known CI/CD script paths

• Scenario: A system update is being applied via Windows Update (e.g., C:\Windows\System32\wuauclt.exe)
  Filter/Exclusion: Exclude processes with image file name matching wuauclt.exe or wuauserv.exe

• Scenario: A user is running a legitimate third-party tool (e.g., 7-Zip or WinRAR) with elevated privileges for file extraction
  Filter/Exclusion: Exclude processes with image file name matching 7z.exe, rar.exe, or winrar.exe when running from known trusted directories