The FGint RSAEncrypt rule detects potential adversary use of RSA encryption to exfiltrate data or establish encrypted communication channels, which may indicate advanced persistent threat activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage encryption-based attacks that could evade traditional detection methods.
YARA Rule
rule FGint_RSAEncrypt
{ meta:
author = "_pusher_"
date = "2015-05"
description = "FGint RSAEncrypt"
strings:
$c0 = { 55 8B EC 83 C4 D0 53 56 57 33 DB 89 5D D0 89 5D DC 89 5D D8 89 5D D4 8B F9 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 DC 8B C7 E8 ?? ?? ?? ?? 8B 45 DC E8 ?? ?? ?? ?? 8B D8 8D 55 DC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 DC 8B 4D DC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F3 4E EB 10 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System backup process using Veeam Backup & Replication encrypts data with RSA during backup jobs.
Filter/Exclusion: process.name != "vbmbackup.exe" OR process.name != "veeam.exe"
Scenario: Microsoft SQL Server performs encryption operations during database maintenance tasks.
Filter/Exclusion: process.name != "sqlservr.exe" OR process.name != "sqlagent.exe"
Scenario: Ansible automation playbook runs a task that uses OpenSSL for encrypting configuration files.
Filter/Exclusion: process.name != "ansible" OR process.name != "openssl"
Scenario: Windows Server Backup service encrypts system state using RSA during scheduled backups.
Filter/Exclusion: process.name != "wbadmin.exe" OR process.name != "services.exe"
Scenario: Docker container running a service that uses Java KeyStore (JKS) for encryption during runtime.
Filter/Exclusion: process.name != "java" OR process.name != "docker" OR process.name != "dockerd"