LockBox RsaEncryptFile | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use LockBox RsaEncryptFile to encrypt files and exfiltrate data, leveraging RSA encryption to obscure their activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts early and mitigate data loss risks.

YARA Rule

rule LockBox_RsaEncryptFile
{	meta:
		author = "Maxx"
		description = "LockBox RsaEncryptFile"
	strings:
		$c0 = { 55 8B EC 83 C4 F8 53 56 8B F1 8B DA 6A 20 8B C8 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 FC 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 68 FF FF 00 00 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8A 45 08 50 8B CE 8B 55 F8 8B 45 FC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? C3 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: System Maintenance Task – A system administrator is using PowerShell to perform routine encryption of backup files using Microsoft’s built-in encryption tools (e.g., certutil or EFS).
Filter/Exclusion: Check for ProcessName containing powershell.exe and CommandLine containing certutil or encrypt.
Scenario: Scheduled Job – A Windows Task Scheduler job is configured to encrypt files as part of a nightly data archiving process using LockBox.
Filter/Exclusion: Filter by ProcessName containing schtasks.exe or Task Scheduler in the ProcessName field.
Scenario: Admin Tool Usage – An admin is using Sysinternals Process Explorer to manually inspect or manipulate file encryption processes.
Filter/Exclusion: Exclude processes with ProcessName containing procexp.exe or Process Explorer.
Scenario: File System Encryption – A user is encrypting files using BitLocker or EFS (Encrypting File System), which may trigger similar file encryption activity.
Filter/Exclusion: Filter by ProcessName containing manage-bde.exe or cipher.exe to distinguish from LockBox activity.
Scenario: Development Environment – A developer is testing encryption logic using Python or Java scripts that call RSA encryption libraries (e.g., pycryptodome or Bouncy Castle).
Filter/Exclusion: Exclude processes with ProcessName containing python.exe or java.exe and check for known development environments.