LockBox EncryptRsaEx

Hunt Hypothesis

The LockBox EncryptRsaEx rule detects potential adversary use of RSA encryption to exfiltrate or obscure data, indicating possible data manipulation or stealthy communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage encryption-based attacks that may evade traditional detection methods.

YARA Rule

rule LockBox_EncryptRsaEx
{	meta:
		author = "Maxx"
		description = "LockBox EncryptRsaEx"
	strings:
		$c0 = { 55 8B EC 83 C4 F8 53 56 57 89 4D FC 8B FA 8B F0 33 C0 8A 46 04 0F B7 1C 45 ?? ?? ?? ?? 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B D7 8B 4D 08 8B 45 F8 E8 ?? ?? ?? ?? 6A 01 B1 02 8B D6 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 3B C3 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B C8 8B 55 FC 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System administrators using PowerShell to encrypt sensitive data using ConvertTo-SecureString for credential storage in Azure Key Vault
  Filter/Exclusion: Check for ProcessName containing powershell and CommandLine containing ConvertTo-SecureString or Azure Key Vault in the command line.

• Scenario: Windows Task Scheduler running a scheduled job that uses LockBox for encrypted data transfer between servers
  Filter/Exclusion: Filter by ProcessName containing schtasks or Task Scheduler and exclude known legitimate job names or paths.

• Scenario: Microsoft SQL Server using SQL Server Integration Services (SSIS) to encrypt data during ETL processes
  Filter/Exclusion: Filter by ProcessName containing sqlservr or dtexec and check for CommandLine containing SSIS or SQL Server.

• Scenario: System Center Configuration Manager (SCCM) performing a software deployment that includes encrypted payloads
  Filter/Exclusion: Filter by ProcessName containing smsexec or ccmexec and exclude known SCCM deployment tasks or paths.

• Scenario: Windows Update or Group Policy applying encrypted configuration files during system configuration
  Filter/Exclusion: Filter by ProcessName containing wuauclt or gpupdate and exclude known update or policy application tasks.