Look for Blowfish constants

Hunt Hypothesis

The detection rule identifies potential adversary activity by searching for Blowfish constants, which may indicate the use of cryptographic routines associated with data encryption or exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover early-stage malware or data manipulation attempts that leverage cryptographic techniques.

YARA Rule

rule BLOWFISH_Constants {
	meta:
		author = "phoul (@phoul)"
		description = "Look for Blowfish constants"
		date = "2014-01"
		version = "0.1"
	strings:
		$c0 = { D1310BA6 }
		$c1 = { A60B31D1 }	
		$c2 = { 98DFB5AC }
		$c3 = { ACB5DF98 }
		$c4 = { 2FFD72DB }
		$c5 = { DB72FD2F }
		$c6 = { D01ADFB7 }
		$c7 = { B7DF1AD0 }
		$c8 = { 4B7A70E9 }
		$c9 = { E9707A4B }
		$c10 = { F64C261C }
		$c11 = { 1C264CF6 }
	condition:
		6 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 12 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Backup Job Using Blowfish Encryption
  Description: A legitimate scheduled backup job uses Blowfish encryption to secure backup files.
  Filter/Exclusion: Exclude processes associated with backup tools like Veeam, Commvault, or Dell EMC Data Domain by checking the process name or command line arguments.

• Scenario: Admin Task for Key Rotation Using Blowfish
  Description: An administrator is manually rotating encryption keys using Blowfish as part of a security policy.
  Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., root, Administrator) or those involving key management tools like Hashicorp Vault or AWS KMS.

• Scenario: Log Analysis Tool Processing Blowfish-Encrypted Logs
  Description: A log analysis tool (e.g., Splunk, ELK Stack) is decrypting Blowfish-encrypted logs for analysis.
  Filter/Exclusion: Exclude processes related to log analysis tools or those involving decryption operations using known decryption utilities.

• Scenario: Development Environment Using Blowfish for Testing
  Description: A developer is testing Blowfish encryption in a local development environment.
  Filter/Exclusion: Exclude processes running in development environments (e.g., Docker, VirtualBox) or those with specific environment variables indicating test mode.

• Scenario: System Integrity Check Using Blowfish Constants
  Description: A system integrity check tool (e.g., Tripwire, OSSEC) includes Blowfish constants as part of its baseline configuration.
  Filter/Exclusion: Exclude processes related to system integrity tools or those running under a known baseline configuration.