BigDig mpModExp

Hunt Hypothesis

The BigDig mpModExp rule detects potential exploitation of a cryptographic library to extract private keys, indicating possible advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate sophisticated attacks targeting cryptographic assets.

YARA Rule

rule BigDig_mpModExp
{	meta:
		author = "Maxx"
		description = "BigDig mpModExp"
	strings:
		$c0 = { 56 8B 74 24 18 85 F6 75 05 83 C8 FF 5E C3 53 55 8B 6C 24 18 57 56 55 E8 ?? ?? ?? ?? 8B D8 83 C4 08 BF 00 00 00 80 8B 44 9D FC 85 C7 75 04 D1 EF 75 F8 83 FF 01 75 08 BF 00 00 00 80 4B EB 02 D1 EF 8B 44 24 18 56 8B 74 24 18 50 56 E8 ?? ?? ?? ?? 83 C4 0C 85 DB 74 4F 8D 6C 9D FC 8B 4C 24 24 8B 54 24 20 51 52 56 56 56 E8 ?? ?? ?? ?? 8B 45 00 83 C4 14 85 C7 74 19 8B 44 24 24 8B 4C 24 20 8B 54 24 18 50 51 52 56 56 E8 ?? ?? ?? ?? 83 C4 14 83 FF 01 75 0B 4B BF 00 00 00 80 83 ED 04 EB }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance using PowerShell to perform modular exponentiation for cryptographic operations.
  Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Command%'

• Scenario: Ansible playbook execution that includes cryptographic tasks (e.g., key generation or encryption) using the bigdig module.
  Filter/Exclusion: process.name != "ansible" OR process.args NOT LIKE '%bigdig%'

• Scenario: Windows Task Scheduler running a legitimate script that uses OpenSSL for secure communication, which may involve modular exponentiation.
  Filter/Exclusion: process.name != "taskhostw.exe" OR process.args NOT LIKE '%openssl%'

• Scenario: Vaultwarden (a self-hosted alternative to Bitwarden) performing cryptographic operations during sync or encryption tasks.
  Filter/Exclusion: process.name != "vaultwarden" OR process.args NOT LIKE '%--config%'

• Scenario: Kubernetes pod running a container with a cryptographic library (e.g., OpenSSL or LibreSSL) that performs modular exponentiation as part of TLS handshake processing.
  Filter/Exclusion: process.name != "containerd" OR process.args NOT LIKE '%--network%'