FGint RsaDecrypt | SOC Hunt Feed

Hunt Hypothesis

The FGint RsaDecrypt rule detects potential decryption activity associated with the FGint malware, which may indicate an adversary attempting to decrypt stolen credentials or data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary actions that could lead to data exfiltration or lateral movement.

YARA Rule

rule FGint_RsaDecrypt
{	meta:
		author = "Maxx"
		description = "FGint RsaDecrypt"
	strings:
		$c0 = { 55 8B EC 83 C4 A0 53 56 57 33 DB 89 5D A0 89 5D A4 89 5D A8 89 5D B4 89 5D B0 89 5D AC 89 4D F8 8B FA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: System update or patching using Windows Update or Group Policy Preferences
Filter/Exclusion: Check for ProcessName containing wuauclt.exe or gppref.exe, or CommandLine containing wuauclt or gpupdate.
Scenario: Scheduled job running PowerShell scripts for routine maintenance or configuration
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for known maintenance scripts or paths like C:\Windows\System32\ or C:\Program Files\.
Scenario: Microsoft Endpoint Configuration Manager (MECM) performing software deployment or inventory collection
Filter/Exclusion: Use ProcessName like ccmexec.exe or mpssvc.exe, or check for CommandLine containing Configuration Manager or SMS.
Scenario: Windows Task Scheduler executing a legitimate administrative task, such as log rotation or backup
Filter/Exclusion: Filter by ProcessName containing schtasks.exe or taskhost.exe, and check for known task names or paths related to system maintenance.
Scenario: Third-party encryption tool (e.g., VeraCrypt, BitLocker) performing decryption operations during normal operation
Filter/Exclusion: Use ProcessName containing veracrypt.exe, bitlocker.exe, or check for CommandLine containing specific encryption tool commands.