The absence of image files in a system may indicate an adversary attempting to evade detection by removing or hiding critical artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering or data exfiltration efforts.
YARA Rule
rule without_images : mail {
meta:
author = "Antonio Sanchez <asanchez@hispasec.com>"
reference = "http://laboratorio.blogs.hispasec.com/"
description = "Rule to detect the no presence of any image"
strings:
$eml_01 = "From:"
$eml_02 = "To:"
$eml_03 = "Subject:"
$a = ".jpg" nocase
$b = ".png" nocase
$c = ".bmp" nocase
condition:
all of ( $eml_* ) and
not $a and not $b and not $c
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is performing a routine disk cleanup and deletes image files from a shared folder.
Filter/Exclusion: Exclude file deletions from known admin accounts (e.g., Administrator, root, svc_account) or specific folders like C:\Temp or /var/tmp.
Scenario: A scheduled job runs to archive old user profiles, which includes deleting image files stored in user home directories.
Filter/Exclusion: Exclude file deletions from scheduled tasks associated with specific job names (e.g., ArchiveUserProfiles) or from user directories (e.g., C:\Users\*\AppData\Local\) during known maintenance windows.
Scenario: A developer is testing a script that generates temporary image files, which are later deleted as part of the test process.
Filter/Exclusion: Exclude file deletions from temporary directories (e.g., C:\Users\*\AppData\Local\Temp, /tmp) or from processes associated with development tools (e.g., Python, Node.js, Docker).
Scenario: A backup system runs and purges old image files from a backup directory to free up storage space.
Filter/Exclusion: Exclude file deletions from backup directories (e.g., C:\Backup\, /backup/) or from processes associated with backup tools (e.g., Veeam, Commvault, Bacula).
Scenario: An IT support team member is troubleshooting an application that stores temporary image files, and they manually delete them to resolve an issue.
Filter/Exclusion: Exclude file deletions from processes associated with IT support tools (e.g., Remote Desktop Services, TeamViewer, LogMeIn) or from specific user accounts used for support tasks.