BigDig mpModulo

Hunt Hypothesis

The BigDig mpModulo rule detects potential obfuscation or evasion techniques used by adversaries to manipulate modulo operations in memory, which may indicate the presence of malware or advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate sophisticated attacks that evade traditional detection methods.

YARA Rule

rule BigDig_mpModulo
{	meta:
		author = "Maxx"
		description = "BigDig mpModulo"
	strings:
		$c0 = { 8B 44 24 10 81 EC 30 03 00 00 8B 8C 24 38 03 00 00 8D 54 24 00 56 8B B4 24 40 03 00 00 57 8B BC 24 4C 03 00 00 57 50 56 51 8D 84 24 B0 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 94 24 54 03 00 00 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 CC 01 00 00 56 51 E8 ?? ?? ?? ?? 83 C4 34 33 C0 5F 5E 81 C4 30 03 00 00 C3 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a disk cleanup or log rotation, uses the mpModulo function in a script or tool like PowerShell or Python.
  Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe, Task Scheduler), or filter by process name or command line arguments containing known maintenance scripts.

• Scenario: Database Index Optimization Job
  Description: A database administrator runs an index optimization job using a tool like SQL Server Management Studio (SSMS) or pgAdmin, which may trigger the mpModulo function during data processing.
  Filter/Exclusion: Exclude processes related to database tools or filter by user account (e.g., dbadmin, sa) or specific database names.

• Scenario: Log File Analysis with Splunk
  Description: A security analyst uses Splunk to analyze log files, and during parsing, the mpModulo function is invoked as part of log normalization or pattern matching.
  Filter/Exclusion: Exclude processes associated with Splunk (splunkd.exe, splunkforwarder.exe) or filter by user account (e.g., splunkuser).

• Scenario: Custom Script for Data Aggregation
  Description: A custom script written in Python or Bash, used for data aggregation or reporting, utilizes the mpModulo function for calculations.
  Filter/Exclusion: Exclude processes with known script paths (e.g., /opt/scripts/aggregator.sh, C:\scripts\reporter.py) or filter by user account (e.g., data_engineer).

• Scenario: Network Traffic Analysis with Wireshark
  Description: A network analyst uses Wireshark to analyze packet captures, and during analysis, the