FGint FindPrimeGoodCurveAndPoint

Hunt Hypothesis

The FGint FindPrimeGoodCurveAndPoint rule detects potential cryptographic key generation activity that may indicate adversary use of custom or compromised cryptographic libraries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threat (APT) activity or exfiltration attempts leveraging weak or custom cryptographic implementations.

YARA Rule

rule FGint_FindPrimeGoodCurveAndPoint
{	meta:
		author = "_pusher_"
		date = "2015-06"
		description = "FGint FindPrimeGoodCurveAndPoint"
		version = "0.1"
	strings:
		$c0 = { 55 8B EC 83 C4 F4 53 56 57 33 DB 89 5D F4 89 4D FC 8B FA 8B F0 33 C0 55 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate system maintenance job runs during off-peak hours and generates network traffic that matches the detection logic.
  Filter/Exclusion: process.name != "maintenance_job.exe" or network.destination_ip != "192.168.1.100"

• Scenario: Windows Update Deployment
  Description: A Windows Update task is being deployed across the network, which may involve communication with Microsoft servers and could trigger the rule.
  Filter/Exclusion: network.destination_ip != "52.167.125.144" (Microsoft public IP) or process.name != "wuauclt.exe"

• Scenario: Log Management Tool Data Sync
  Description: A log management tool like Splunk or ELK Stack is syncing logs to a central server, which may involve outbound traffic that matches the rule.
  Filter/Exclusion: process.name != "splunkd.exe" or network.destination_ip != "10.10.1.50"

• Scenario: Database Backup Job
  Description: A scheduled database backup job (e.g., SQL Server Backup) is transferring data over the network, which may trigger the rule.
  Filter/Exclusion: process.name != "sqlbackup.exe" or network.destination_port != 1433

• Scenario: Admin Task: Certificate Renewal
  Description: An admin is manually renewing SSL/TLS certificates using tools like OpenSSL or Certify The Web, which may involve outbound connections.
  Filter/Exclusion: process.name != "openssl.exe" or network.destination_ip != "10.10.1.100"