The BigDig spModMult rule detects potential adversary use of a custom module to manipulate cryptographic operations, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate sophisticated attacks that evade standard detection mechanisms.
YARA Rule
rule BigDig_spModMult
{ meta:
author = "Maxx"
description = "BigDig spModMult"
strings:
$c0 = { 8B 44 24 0C 8B 4C 24 08 83 EC 08 8D 54 24 00 50 51 52 E8 ?? ?? ?? ?? 8B 44 24 24 6A 02 8D 4C 24 10 50 51 E8 ?? ?? ?? ?? 8B 54 24 24 89 02 33 C0 83 C4 20 C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance using task scheduler to run a disk cleanup or defragmentation tool
Filter/Exclusion: process.parent_process == "schtasks.exe" or process.name == "defrag.exe"
Scenario: Admin performing a software update via Windows Update or using WSUS (Windows Server Update Services)
Filter/Exclusion: process.name == "wusa.exe" or process.name == "wuauclt.exe"
Scenario: Running a legitimate security scan with Nessus or OpenVAS during a vulnerability assessment
Filter/Exclusion: process.name == "nessuscli.exe" or process.name == "openvas-check-setup"
Scenario: Using PowerShell to automate routine system checks or configuration audits
Filter/Exclusion: process.name == "powershell.exe" and process.command_line contains "audit" or "check"
Scenario: Executing a backup job using Veeam or Commvault that involves file system operations
Filter/Exclusion: process.name == "veeam.exe" or process.name == "cvbackup.exe" and process.command_line contains "backup" or "snapshot"