FGint RsaSign | SOC Hunt Feed

Hunt Hypothesis

Adversaries may be using FGint RsaSign to sign payloads and evade signature-based detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware execution and exfiltration activities.

YARA Rule

rule FGint_RsaSign
{	meta:
		author = "Maxx"
		description = "FGint RsaSign"
	strings:
		$c0 = { 55 8B EC 83 C4 B8 53 56 57 89 4D F8 8B FA 89 45 FC 8B 75 0C 8B 5D 10 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 F0 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: System update or patching using Windows Update or Group Policy
Filter/Exclusion: Check for ProcessName containing wuauclt.exe or gupdate.exe, or filter by ParentProcessName matching services.exe or taskhost.exe.
Scenario: Scheduled job running PowerShell scripts for system maintenance
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine arguments that include -File or -Command with known maintenance scripts.
Scenario: Microsoft Defender Antivirus performing a signature update or full scan
Filter/Exclusion: Filter by ProcessName containing MsMpEng.exe or MSPaint.exe (for Defender UI), or check for CommandLine arguments like /Scan or /Update.
Scenario: SQL Server Agent Job executing a backup or maintenance task
Filter/Exclusion: Filter by ProcessName containing sqlservr.exe or sqlagent.exe, and check for CommandLine arguments related to backup or maintenance operations.
Scenario: Windows Task Scheduler running a legitimate administrative task
Filter/Exclusion: Filter by ProcessName containing schtasks.exe or taskhost.exe, and check for ParentProcessName matching services.exe or explorer.exe.