Adversaries may use FGint ECPointKMultiple to perform cryptographic operations that could be part of key derivation or data exfiltration. SOC teams should proactively hunt for this behavior to identify potential advanced persistent threat activity leveraging elliptic curve cryptography in their Azure Sentinel environment.
YARA Rule
rule FGint_ECPointKMultiple
{ meta:
author = "_pusher_"
date = "2015-06"
description = "FGint ECPointKMultiple"
version = "0.1"
strings:
$c0 = { 55 8B EC 83 C4 BC 53 56 57 33 DB 89 5D E4 8B 75 0C 8D 7D E8 A5 A5 8B F1 8D 7D F0 A5 A5 8B F2 8D 7D F8 A5 A5 8B F0 8D 7D D0 A5 A5 A5 A5 A5 8B 5D 08 8D 45 D0 8B 15 ?? ?? ?? 00 E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.name != "vbm.exe" or process.name != "vpxa.exe"
Scenario: Regular Windows Update or Group Policy refresh via Task Scheduler
Filter/Exclusion: process.name != "wuauserv.exe" or process.name != "gupdate.exe"
Scenario: Microsoft Endpoint Manager (Intune) performing device compliance checks
Filter/Exclusion: process.name != "mpssvc.exe" or process.name != "mmpolicy.exe"
Scenario: Docker container orchestration or image pull via Kubernetes
Filter/Exclusion: process.name != "docker.exe" or process.name != "k8s-dns-dns-tiny.exe"
Scenario: Log management tool like Splunk or ELK Stack performing log ingestion
Filter/Exclusion: process.name != "splunkd.exe" or process.name != "logstash.exe"