Adversaries may be using FGint DSASign to sign malicious files, potentially bypassing signature-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that evade traditional detection methods.
YARA Rule
rule FGint_DSASign
{ meta:
author = "_pusher_"
date = "2016-08"
description = "FGint DSASign"
version = "0.1"
strings:
$c0 = { 55 8B EC 83 C4 CC 53 56 57 89 4D FC 8B DA 8B F8 8B 75 14 8B 45 10 E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F4 50 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 4D D4 8B D3 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8B C6 E8 ?? ?? ?? ?? 8D 55 EC 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 D4 8B 45 18 E8 ?? ?? ?? ?? 8D 4D DC 8D 55 E4 8D 45 EC E8 ?? ?? ?? ?? 8D 45 EC E8 ?? ?? ?? ?? 8D 45 E4 E8 ?? ?? ?? ?? 8D 45 CC 50 8B CB 8D 55 DC 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 DC E8 ?? ?? ?? ?? 8B 55 0C 8D 45 D4 E8 ?? ?? ?? ?? 8B 55 08 8D 45 CC E8 ?? ?? ?? ?? 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 CC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? B9 06 00 00 00 E8 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs FGint DSASign as part of routine system maintenance or patching.
Filter/Exclusion: Exclude events where the process is initiated by a known system maintenance task (e.g., Task Scheduler with task name SystemUpdateTask).
Scenario: Admin Performing Disk Space Analysis
Description: An administrator uses a tool like Sysinternals Process Explorer or Disk Usage Analyzer to analyze disk space, which may trigger the FGint DSASign process.
Filter/Exclusion: Exclude events where the process is initiated by a known admin tool (e.g., Process Explorer.exe or dua.exe).
Scenario: Antivirus or Endpoint Protection Scan
Description: A third-party antivirus or endpoint protection tool (e.g., McAfee Endpoint Security, Symantec Endpoint Protection) runs a scan that triggers the FGint DSASign process as part of file integrity checks.
Filter/Exclusion: Exclude events where the process is initiated by a known endpoint protection tool (e.g., McAfeeVirusScan.exe or sepm.exe).
Scenario: Database Backup Job
Description: A database backup job (e.g., SQL Server Backup Job, MySQL Backup Script) runs and triggers the FGint DSASign process during file compression or signing.
Filter/Exclusion: Exclude events where the process is initiated by a known backup job (e.g., sqlbackup.exe or mysqldump.exe).
Scenario: User-Initiated File Signing for Internal Use
Description: A user signs a file internally using a tool like Signtool or Windows File Signing Utility for internal distribution.