The CryptoPP RsaFunction detection rule identifies potential use of cryptographic libraries for RSA operations, which may indicate adversaries attempting to encrypt or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage encryption activities or data manipulation attempts by threat actors.
YARA Rule
rule CryptoPP_RsaFunction
{ meta:
author = "Maxx"
description = "CryptoPP RsaFunction"
strings:
$c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC 9C 00 00 00 8B 84 24 B0 00 00 00 53 55 56 33 ED 8B F1 57 3B C5 89 B4 24 A8 00 00 00 89 6C 24 10 BF 01 00 00 00 74 18 C7 06 ?? ?? ?? ?? C7 46 20 ?? ?? ?? ?? 89 7C 24 10 89 AC 24 B4 00 00 00 8D 4E 04 E8 ?? ?? ?? ?? 8D 4E 10 89 BC 24 B4 00 00 00 E8 ?? ?? ?? ?? 8B 06 BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 48 04 C7 04 31 ?? ?? ?? ?? 8B 16 8B 42 04 8B 54 24 10 83 CA 02 8D 48 E0 89 54 24 10 89 4C 30 FC 89 5C 24 18 89 7C }
$c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 1C 53 8B 5C 24 1C 56 8B F1 57 33 C9 89 74 24 10 3B C1 89 4C 24 0C 74 7B C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 3B D9 75 06 89 4C 24 28 EB 0E 8B 43 04 8B 50 0C 8D 44 1A 04 89 44 24 28 8B 56 3C C7 44 24 0C 07 00 00 00 8B 42 04 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C C7 46 38 ?? ?? ?? ?? 8B 42 04 C7 44 30 3C }
$c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 18 56 8B F1 57 85 C0 89 74 24 0C C7 44 24 08 00 00 00 00 74 63 C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 8B 46 3C C7 44 24 08 07 00 00 00 8B 48 04 C7 44 31 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 4E 3C C7 46 38 ?? ?? ?? ?? 8B 51 04 C7 44 32 3C ?? ?? ?? ?? 8B 46 3C 8B 48 08 C7 44 31 3C ?? ?? ?? ?? C7 06 ?? ?? ?? ?? 8D 7E 04 6A 00 8B CF }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System Backup Process Using GPG
Description: A scheduled backup job uses GPG (GNU Privacy Guard) to encrypt backup files using RSA encryption.
Filter/Exclusion: process.name != "gpg" OR process.parent.name != "backup-service"
Scenario: Admin Task Using OpenSSL for Certificate Generation
Description: An administrator is generating SSL/TLS certificates using OpenSSL, which internally uses RSA functions.
Filter/Exclusion: process.name != "openssl" OR process.args != "genrsa"
Scenario: Scheduled Job for Key Pair Generation
Description: A system administrator runs a scheduled job to generate RSA key pairs for internal use (e.g., API signing).
Filter/Exclusion: process.name != "ssh-keygen" OR process.args != "-t rsa"
Scenario: Enterprise PKI Tool Using Crypto++ Library
Description: A legitimate enterprise PKI (Public Key Infrastructure) tool, such as OpenDNSSEC or OpenSSL, uses the Crypto++ library for RSA operations.
Filter/Exclusion: process.name != "open-dnssec" OR process.name != "openssl"
Scenario: Secure Shell (SSH) Key Exchange
Description: SSH clients and servers use RSA for key exchange during secure connections.
Filter/Exclusion: process.name != "ssh" OR process.args != "connect"