The FGint MulByInt rule detects potential obfuscation techniques where adversaries may be using integer multiplication to bypass simple string-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activities that rely on code obfuscation to evade detection.
YARA Rule
rule FGint_MulByInt
{ meta:
author = "_pusher_"
date = "2015-05"
description = "FGint MulByInt"
strings:
$c0 = { 53 56 57 55 83 C4 E8 89 4C 24 04 8B EA 89 04 24 8B 04 24 8B 40 04 8B 00 89 44 24 08 8B 44 24 08 83 C0 02 50 8D 45 04 B9 01 00 00 00 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 04 33 F6 8B 7C 24 08 85 FF 76 6D BB 01 00 00 00 8B 04 24 8B 40 04 8B 04 98 33 D2 89 44 24 10 89 54 24 14 8B 44 24 04 33 D2 52 50 8B 44 24 18 8B 54 24 1C ?? ?? ?? ?? ?? 89 44 24 10 89 54 24 14 8B C6 33 D2 03 44 24 10 13 54 24 14 89 44 24 10 89 54 24 14 8B 44 24 10 25 FF FF FF 7F 8B 55 04 89 04 9A 8B 44 24 10 8B 54 24 14 0F AC D0 1F C1 EA 1F 8B F0 43 4F 75 98 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled backup job using rsync or Veeam that transfers large volumes of integer data between servers.
Filter/Exclusion: Check for process names like rsync, veeam, or backup in the process tree, and filter by known backup directories or timestamps matching scheduled jobs.
Scenario: System update or patching task using yum or apt that processes integer-based configuration files.
Filter/Exclusion: Filter events where the process name is yum or apt, and exclude files in standard package directories like /var/cache/apt/archives/ or /usr/lib.
Scenario: Log file rotation using logrotate that generates temporary integer files during rotation.
Filter/Exclusion: Exclude processes named logrotate and filter events involving paths in /var/log/ or /etc/logrotate.d/.
Scenario: Database indexing or query optimization task using pgAdmin or MySQL Workbench that involves integer operations.
Filter/Exclusion: Filter by process names like pgAdmin, mysql, or mysqld, and exclude database directories or specific query patterns.
Scenario: Network traffic analysis tool like Wireshark or tcpdump processing integer-based packet data for analysis.
Filter/Exclusion: Exclude processes named tcpdump or wireshark, and filter events involving known network analysis directories or specific packet capture files.