Adversaries may use FGint FGIntDivMod to manipulate or obfuscate data during lateral movement or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics used in advanced persistent threats.
YARA Rule
rule FGint_DivMod
{ meta:
author = "_pusher_"
date = "2015-05"
description = "FGint FGIntDivMod"
strings:
$c0 = { 55 8B EC 83 C4 BC 53 56 57 8B F1 89 55 F8 89 45 FC 8B 5D 08 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 FC 8A 00 88 45 D7 8B 45 F8 8A 00 88 45 D6 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B D3 8B 45 FC E8 ?? ?? ?? ?? 8D 55 E0 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 F8 8B 45 FC }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance or patching using PowerShell scripts that perform integer division or modulo operations as part of a routine check.
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Command%'
Scenario: SQL Server Agent Jobs running batch processing tasks that use integer division or modulo operations in T-SQL scripts.
Filter/Exclusion: process.name != "sqlservr.exe" OR event_id != 144
Scenario: Ansible playbook execution that includes arithmetic operations during configuration management tasks.
Filter/Exclusion: process.name != "ansible" OR event_id != 100
Scenario: Windows Task Scheduler running a script that performs integer division or modulo as part of log rotation or file management.
Filter/Exclusion: process.name != "schtasks.exe" OR event_id != 100
Scenario: Docker container startup scripts that use integer division or modulo to calculate resource limits or container IDs.
Filter/Exclusion: process.name != "docker" OR event_id != 1000