Rule to detect Regin RC5 decryption keys

Hunt Hypothesis

The detection of Regin RC5 decryption keys indicates potential adversary activity involving advanced persistent threats that leverage cryptographic techniques to exfiltrate or decrypt sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage ransomware or data exfiltration campaigns.

YARA Rule

rule apt_regin_rc5key 
{
    
    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect Regin RC5 decryption keys"
        version = "1.0"
        last_modified = "2014-11-18"
    
    strings:
        $key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}
        $key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}

    condition:
        any of ($key*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System backup process using Veeam Backup & Replication
  Description: Veeam may generate RC5 decryption keys during backup operations as part of encryption settings.
  Filter/Exclusion: Check for process.name containing “Veeam” or “backup” and filter by process.parent.name matching backup service or scheduler.

• Scenario: Scheduled job using Microsoft PowerShell for report generation
  Description: PowerShell scripts running under elevated privileges may inadvertently use RC5 encryption libraries, generating false positives.
  Filter/Exclusion: Filter by process.name containing “powershell.exe” and check for process.command_line containing “report” or “generate”.

• Scenario: Admin task using Microsoft Sysinternals Process Explorer
  Description: Process Explorer may use RC5 encryption for memory analysis or data extraction, leading to a false positive.
  Filter/Exclusion: Filter by process.name containing “procexp.exe” or “Process Explorer” and exclude processes with user.name as “Administrator”.

• Scenario: Encryption of sensitive data using BitLocker Drive Encryption
  Description: BitLocker may generate RC5 keys during encryption or decryption processes, which could trigger the rule.
  Filter/Exclusion: Filter by process.name containing “BitLocker” or “manage-bde.exe” and check for process.args containing “encrypt” or “decrypt”.

• Scenario: Log analysis using Splunk with RC5 encryption for logs
  Description: Splunk may use RC5 encryption for log data at rest, causing the rule to trigger during log parsing.
  Filter/Exclusion: Filter by process.name containing “splunkd” or “splunk” and check for process.args containing “encrypt” or “log”.