Adversaries may be attempting to decrypt encrypted data using the LockBox DecryptRsaEx method to exfiltrate or manipulate sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data compromise or lateral movement tactics early.
YARA Rule
rule LockBox_DecryptRsaEx
{ meta:
author = "Maxx"
description = "LockBox DecryptRsaEx"
strings:
$c0 = { 55 8B EC 83 C4 F4 53 56 57 89 4D F8 89 55 FC 8B D8 33 C0 8A 43 04 0F B7 34 45 ?? ?? ?? ?? 0F B7 3C 45 ?? ?? ?? ?? 8B CE B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 FC 8B CE 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 B1 02 8B D3 8B 45 F4 E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B C7 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 8B C8 8B 55 F8 8B 45 F4 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled job running LockBox DecryptRsaEx as part of a regular data decryption process
Filter/Exclusion: process.parent_process == "schtasks.exe" or process.command_line contains "schtasks"
Scenario: System administrators using Microsoft Sysinternals Process Explorer to decrypt RSA keys for troubleshooting
Filter/Exclusion: process.name == "procexp.exe" or process.parent_process == "explorer.exe"
Scenario: Windows Backup and Restore service decrypting RSA keys during system recovery
Filter/Exclusion: process.name == "wbemcons.exe" or process.command_line contains "wbadmin"
Scenario: Microsoft SQL Server service using LockBox DecryptRsaEx to decrypt encrypted database keys
Filter/Exclusion: process.name == "sqlservr.exe" or process.parent_process == "sqlservr.exe"
Scenario: Windows Update or Group Policy service decrypting RSA keys during configuration changes
Filter/Exclusion: process.name == "svchost.exe" and process.command_line contains "GroupPolicy" or "wuauclt.exe"