Adversaries may use CRC32b hashes to obfuscate or manipulate data integrity checks during persistence or exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering or evasion tactics that bypass standard integrity verification mechanisms.
YARA Rule
rule CRC32b_poly_Constant {
meta:
author = "_pusher_"
description = "Look for CRC32b [poly]"
date = "2016-04"
version = "0.1"
strings:
$c0 = { B71DC104 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system backup tool (e.g., Veeam, Acronis) generates temporary files with CRC32b hashes during the backup process.
Filter/Exclusion: Exclude files with the Backup or Temp directory in their path, or filter by file extensions like .tmp or .bak.
Scenario: A scheduled system maintenance task (e.g., Windows Task Scheduler) runs a script that calculates CRC32b hashes for integrity checks.
Filter/Exclusion: Exclude processes associated with system maintenance tasks by checking the process name or command line for keywords like maintenance, scheduler, or integrity.
Scenario: A version control system (e.g., Git) uses CRC32b hashes for object storage during repository operations.
Filter/Exclusion: Exclude files or processes related to Git by checking for paths containing .git or process names like git.
Scenario: A network monitoring tool (e.g., Wireshark) generates logs with CRC32b checksums for packet validation.
Filter/Exclusion: Exclude logs from Wireshark or similar tools by checking the source process name or log file path.
Scenario: A database backup or replication tool (e.g., MySQL mysqldump, PostgreSQL pg_dump) includes CRC32b hashes in its output for data integrity.
Filter/Exclusion: Exclude files or processes related to database backups by checking for paths containing backup, dump, or db.