Adversaries may use CRC32 table anomalies to evade detection or manipulate data integrity checks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation or tampering activities that could indicate advanced persistent threats.
YARA Rule
rule CRC32_table {
meta:
author = "_pusher_"
description = "Look for CRC32 table"
date = "2015-05"
version = "0.1"
strings:
$c0 = { 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using 7-Zip to extract a compressed archive that contains a file with a CRC32 checksum table.
Filter/Exclusion: Exclude processes associated with 7-Zip using the process.name field: process.name:"7-Zip.exe"
Scenario: A scheduled backup job using Veeam Backup & Replication generates temporary files that include CRC32 checksums during the backup process.
Filter/Exclusion: Exclude processes associated with Veeam using the process.name field: process.name:"VeeamBackup.exe"
Scenario: A network monitoring tool like Wireshark captures packets that include CRC32 checksums for data integrity verification.
Filter/Exclusion: Exclude processes associated with Wireshark using the process.name field: process.name:"wireshark.exe"
Scenario: A software update task using Microsoft Endpoint Configuration Manager (MECM) includes files with CRC32 checksums for integrity checks.
Filter/Exclusion: Exclude processes associated with MECM using the process.name field: process.name:"ConfigMgr.exe"
Scenario: A disk imaging tool like DD (Disk Dump) creates image files that include CRC32 checksums for verification.
Filter/Exclusion: Exclude processes associated with DD using the process.name field: process.name:"dd.exe" or process.name:"dd_rescue.exe"