Adversaries may be using LockBox TlbRsaKey to encrypt or exfiltrate sensitive data by leveraging RSA key operations in the environment. SOC teams should proactively hunt for this behavior to identify potential data encryption or exfiltration activities that could indicate a ransomware or data theft incident.
YARA Rule
rule LockBox_TlbRsaKey
{ meta:
author = "Maxx"
description = "LockBox TlbRsaKey"
strings:
$c0 = { 53 56 84 D2 74 08 83 C4 F0 E8 ?? ?? ?? ?? 8B DA 8B F0 33 D2 8B C6 E8 ?? ?? ?? ?? 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 0C 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 10 8B C6 84 DB 74 0F E8 ?? ?? ?? ?? 64 8F 05 00 00 00 00 83 C4 0C 8B C6 5E 5B C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled backup of encryption keys using Microsoft Azure Key Vault
Filter/Exclusion: process.name != "AzureKeyVaultBackup.exe" or process.parent.name != "AzureKeyVaultService.exe"
Scenario: Windows Update or Group Policy refresh triggering key-related operations
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "gupdate.exe"
Scenario: Microsoft SQL Server performing encryption key rotation or backup
Filter/Exclusion: process.name != "sqlservr.exe" or process.command_line contains "sqlbackup"
Scenario: System Center Configuration Manager (SCCM) running a compliance scan that accesses encrypted data
Filter/Exclusion: process.name != "ConfigMgr.exe" or process.parent.name != "SCCMService.exe"
Scenario: Docker container or Kubernetes pod running a service that uses encrypted credentials
Filter/Exclusion: process.name != "docker.exe" or process.name != "kubelet.exe" and process.command_line contains "encrypted-credentials"