The FGint ECPointDestroy rule detects potential adversarial activity involving the manipulation or destruction of elliptic curve points, which may indicate cryptographic sabotage or tampering with secure communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise cryptographic integrity and data security.
YARA Rule
rule FGint_ECPointDestroy
{ meta:
author = "_pusher_"
date = "2015-06"
description = "FGint ECPointDestroy"
version = "0.1"
strings:
$c0 = { 53 8B D8 8B C3 E8 ?? ?? ?? ?? 8D 43 08 E8 ?? ?? ?? ?? 5B C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance using Windows Task Scheduler to clean up temporary files or perform disk cleanup.
Filter/Exclusion: process.parent_process == "schtasks.exe" or process.name == "cleanmgr.exe"
Scenario: VMware vCenter Server performing routine maintenance tasks such as inventory synchronization or storage management.
Filter/Exclusion: process.name == "vpxd.exe" or process.parent_process == "vmware-vpxd.exe"
Scenario: Microsoft SQL Server Agent executing a scheduled job to truncate or archive old logs.
Filter/Exclusion: process.name == "sqlagent.exe" or process.parent_process == "sqlservr.exe"
Scenario: Ansible or Chef automation tools running playbook tasks that interact with system components (e.g., managing ECPoint resources).
Filter/Exclusion: process.name == "ansible" or "chef-client" or process.parent_process == "ansible-playbook"
Scenario: Windows Event Log Cleanup task initiated by the Task Scheduler to manage log file sizes.
Filter/Exclusion: process.name == "eventvwr.exe" or process.parent_process == "schtasks.exe"