Adversaries may use FGint DSAVerify to manipulate digital signature validation processes, potentially enabling unauthorized code execution or bypassing integrity checks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of cryptographic validation weaknesses.
YARA Rule
rule FGint_DSAVerify
{ meta:
author = "_pusher_"
date = "2016-08"
description = "FGint DSAVerify"
version = "0.1"
strings:
$c0 = { 55 8B EC 83 C4 B4 53 56 57 89 4D FC 8B DA 8B F0 8B 7D 08 8B 45 14 E8 ?? ?? ?? ?? 8B 45 10 E8 ?? ?? ?? ?? 8B 45 0C E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 CC 8B 45 0C E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8D 45 CC E8 ?? ?? ?? ?? 8D 55 C4 8B 45 14 E8 ?? ?? ?? ?? 8D 45 EC 50 8B CB 8D 55 F4 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 ?? ?? ?? ?? 8D 55 D4 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 F4 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 C4 50 8B CE 8D 55 EC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 50 8B CE 8D 55 E4 8B 45 18 E8 ?? ?? ?? ?? 8D 45 B4 50 8B CE 8D 55 BC 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system integrity check via Microsoft Defender for Endpoint (MDE)
Filter/Exclusion: Process.parent_process_name == "Microsoft Defender for Endpoint" or Process.command_line contains "Scan" or "IntegrityCheck"
Scenario: Windows Update or Group Policy Update running in the background
Filter/Exclusion: Process.name == "wusa.exe" or Process.name == "gpupdate.exe" or Process.parent_process_name == "services.exe"
Scenario: Windows Defender Antivirus scan initiated by the system
Filter/Exclusion: Process.name == "MsMpEng.exe" or Process.command_line contains "Scan" or "FullScan"
Scenario: Third-party endpoint protection tool (e.g., Kaspersky, Bitdefender) performing a scheduled scan
Filter/Exclusion: Process.name contains "Kav" or "Bitdefender" or Process.command_line contains "Scan" or "FullScan"
Scenario: System file verification via DISM or SFC during maintenance tasks
Filter/Exclusion: Process.name == "dism.exe" or Process.name == "sfc.exe" or Process.command_line contains "Scan" or "Check" or "Verify"