Look for 128-bit key Chacha stream cipher constant

Hunt Hypothesis

Adversaries may use the 128-bit key ChaCha stream cipher constant to encrypt data during exfiltration or command and control communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential encrypted data transfers that could indicate covert malicious activity.

YARA Rule

rule Chacha_128_constant {
    meta:
		author = "spelissier"
		description = "Look for 128-bit key Chacha stream cipher constant"
		date = "2019-12"
		reference = "https://www.ecrypt.eu.org/stream/salsa20pf.html"
	strings:
		$c0 = "expand 16-byte k"
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://www.ecrypt.eu.org/stream/salsa20pf.html
• Source Rule

False Positive Guidance

• Scenario: A system administration tool (e.g., ansible) is using a hardcoded 128-bit key in a configuration file for automated encryption tasks.
  Filter/Exclusion: Check for file paths containing /etc/ansible/ or /usr/local/bin/ansible-playbook in the event source.

• Scenario: A scheduled job (e.g., cron job) is running a script that uses a 128-bit key for encrypting logs or temporary data.
  Filter/Exclusion: Exclude events where the process name matches cron or systemd-timedated and filter by command-line arguments containing log_encrypt or temp_encrypt.

• Scenario: A database backup tool (e.g., pg_dump or mysqldump) is using a 128-bit key for encrypting backup files during a scheduled backup.
  Filter/Exclusion: Filter events where the process name is pg_dump or mysqldump and exclude any event where the command line includes --encrypt or --cipher.

• Scenario: A network security appliance (e.g., iptables or pf) is configured with a 128-bit key for managing encrypted traffic rules.
  Filter/Exclusion: Exclude events related to iptables or pf and filter by process names such as iptables-save or pfctl.

• Scenario: A cloud provider’s CLI tool (e.g., aws-cli or gcloud) is using a 128-bit key for encrypting sensitive data in transit or at rest.
  Filter/Exclusion: Exclude events where the process name is aws or gcloud and filter by command-line arguments containing --encrypt or --key.