The detection identifies potential use of the FlyUtils.CnDES Decrypt ECB function, which may indicate adversaries attempting to decrypt sensitive data using a weak encryption method. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or decryption activities that could lead to data compromise.
YARA Rule
rule FlyUtilsCnDES_ECB_Decrypt {
meta:
author = "_pusher_"
description = "Look for FlyUtils.CnDES Decrypt ECB function"
date = "2016-07"
strings:
$c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B F9 89 55 F8 89 45 FC 8B 5D 18 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 84 DB 74 18 8B D3 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 85 FF 75 07 E8 ?? ?? ?? ?? 8B F8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 57 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 FF 75 14 FF 75 10 8B 45 0C 50 8B 4D F8 8B 55 F0 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 6A 00 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 08 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB 12 E9 ?? ?? ?? ?? 8B 45 08 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F0 33 D2 89 55 F0 E8 ?? ?? ?? ?? C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled Job Performing Data Decryption
Description: A legitimate scheduled job runs to decrypt sensitive data stored in an encrypted format using the FlyUtils.CnDES Decrypt ECB function as part of a data archival or migration process.
Filter/Exclusion: Check for the presence of a known job name or process ID associated with data migration or archival tasks. Example: process_name = "DataMigrationJob" or job_id = "JM123456"
Scenario: System Administration Task Using Encryption Tools
Description: An administrator uses a tool like SecureDataTool to decrypt files or database entries using the FlyUtils.CnDES Decrypt ECB function as part of routine maintenance or troubleshooting.
Filter/Exclusion: Filter by user account or command-line arguments that indicate administrative tasks, e.g., user = "admin", command_line LIKE '%SecureDataTool decrypt%'
Scenario: Integration with Legacy Systems
Description: A legacy system or integration tool (e.g., LegacySystemAPI) communicates with a backend service that uses FlyUtils.CnDES Decrypt ECB to decrypt data during API calls or data synchronization.
Filter/Exclusion: Exclude traffic from known integration services by checking source IP, destination IP, or application name, e.g., source_ip = "192.168.1.100" or application = "LegacySystemAPI"
Scenario: Testing Environment Decryption Activity
Description: A developer or QA team runs a test script or tool (e.g., TestDecryptTool) to verify encryption/decryption functionality using FlyUtils.CnDES Decrypt ECB in a test environment.
Filter/Exclusion: Filter based on environment tags or hostnames, e.g., hostname LIKE '%test%' or environment = "test"
**Scenario: Log