The suspicious producer rule detects potential adversarial activity where an unknown or unexpected process is generating output that may indicate malicious behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule suspicious_producer : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$producer0 = /Producer \(Scribus PDF Library/
$producer1 = "Notepad"
condition:
$magic in (0..1024) and $header and 1 of ($producer*)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System update or patching process using wsusoffline
Filter/Exclusion: Exclude processes initiated by wsusoffline or associated with Windows Update services (wuauserv)
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude processes with veeam in the command line or associated with Veeam backup schedules
Scenario: Log collection or monitoring tool like Splunk or ELK Stack
Filter/Exclusion: Exclude processes with splunk or logstash in the command line, or those running under the log management service account
Scenario: Administrative task using PowerShell for system maintenance
Filter/Exclusion: Exclude PowerShell scripts executed by LocalSystem or Administrators group with known maintenance scripts
Scenario: Antivirus or endpoint protection tool like Bitdefender or Kaspersky
Filter/Exclusion: Exclude processes with bitdefender or kav in the process name, or those running under the endpoint security service account