Look for CRC16 table

Hunt Hypothesis

Adversaries may use a CRC16 table as part of obfuscation or data manipulation techniques to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering or malicious data processing activities.

YARA Rule

rule CRC16_table {
	meta:
		author = "_pusher_"
		description = "Look for CRC16 table"
		date = "2016-04"
		version = "0.1"
	strings:
		$c0 = { 00 00 21 10 42 20 63 30 84 40 A5 50 C6 60 E7 70 08 81 29 91 4A A1 6B B1 8C C1 AD D1 CE E1 EF F1 31 12 10 02 73 32 52 22 B5 52 94 42 F7 72 D6 62 39 93 18 83 7B B3 5A A3 BD D3 9C C3 FF F3 DE E3 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using crc16 command-line tool to verify data integrity during a file transfer.
  Filter/Exclusion: Exclude processes where the command line contains crc16 and the process is initiated by a known admin user (e.g., root, admin, or sysadmin).

• Scenario: A scheduled job runs a script that generates a CRC16 checksum for log files as part of a data validation process.
  Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., cron, task scheduler, or systemd) and filter by known validation scripts (e.g., validate_logs.sh).

• Scenario: A developer is using a version control system like git to compute CRC16 hashes for binary files during a commit.
  Filter/Exclusion: Exclude processes initiated by developers (e.g., git commit with binary files) and filter by user groups (e.g., dev, developer).

• Scenario: A network monitoring tool like Wireshark or tcpdump is capturing packets and calculating CRC16 values for packet validation.
  Filter/Exclusion: Exclude processes related to network analysis tools (e.g., tcpdump, Wireshark) and filter by process names or command lines containing network analysis keywords.

• Scenario: A backup utility like rsync or Veeam computes CRC16 checksums to verify data consistency during backups.
  Filter/Exclusion: Exclude processes initiated by backup services (e.g., rsync, Veeam) and filter by known backup user accounts or service names.