suspicious title

Hunt Hypothesis

The hypothesis is that the detected behavior indicates an adversary attempting to establish a low-visibility presence within the environment by leveraging suspiciously named artifacts. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromise or reconnaissance activities that may evade traditional detection methods.

YARA Rule

rule suspicious_title : PDF raw
{
	meta:
		author = "Glenn Edwards (@hiddenillusion)"
		version = "0.1"
		weight = 4
		
	strings:
		$magic = { 25 50 44 46 }
		$header = /%PDF-1\.(3|4|6)/
		
		$title0 = "who cis"
		$title1 = "P66N7FF"
		$title2 = "Fohcirya"
	condition:
		$magic in (0..1024) and $header and 1 of ($title*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task (e.g., schtasks.exe) is running a script that matches the YARA rule due to similar naming or content.
  Filter/Exclusion: Exclude processes associated with schtasks.exe or check for the presence of a scheduled task with a known maintenance name.

• Scenario: Log File Parsing by SIEM Tool
  Description: A SIEM tool (e.g., Splunk, ELK Stack) is parsing log files and generating output that matches the YARA rule due to similar string patterns.
  Filter/Exclusion: Exclude processes related to the SIEM tool (e.g., splunkd.exe, logstash.exe) or filter based on file paths common to log parsing activities.

• Scenario: Admin Task for Software Deployment
  Description: An admin is using a deployment tool (e.g., Ansible, Puppet) to push configuration files that inadvertently match the YARA rule.
  Filter/Exclusion: Exclude processes associated with configuration management tools or filter based on known deployment directories (e.g., /opt/deploy/).

• Scenario: Temporary File Creation by Scripting Tool
  Description: A scripting tool (e.g., PowerShell, Python) is creating temporary files during a legitimate script execution that matches the YARA rule.
  Filter/Exclusion: Exclude processes with known temporary file patterns or filter based on file extensions (e.g., .tmp, .log).

• Scenario: Backup Job Generating Output Files
  Description: A backup job (e.g., Veeam, Backup Exec) is generating output files during a backup process that match the YARA rule.
  Filter/Exclusion: Exclude processes related to backup tools or filter based on file paths common to backup operations (e.g., `/backup/