Miracl Big constructor | SOC Hunt Feed

Hunt Hypothesis

The Miracl Big constructor rule detects potential adversary use of a suspiciously named process associated with a known malicious tool, indicating possible initial access or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.

YARA Rule

rule Miracl_Big_constructor
{	meta:
		author = "Maxx"
		description = "Miracl Big constructor"
	strings:
		$c0 = { 56 8B F1 6A 00 E8 ?? ?? ?? ?? 83 C4 04 89 06 8B C6 5E C3 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Scheduled maintenance job using Miracl Big constructor for user provisioning
Filter/Exclusion: process.name != "Miracl Big constructor" OR process.parent.name == "scheduling-service"
Scenario: System administrator using Miracl Big constructor to reset user credentials
Filter/Exclusion: process.user == "admin" OR process.parent.name == "user-management-tool"
Scenario: Automated backup script invoking Miracl Big constructor for data export
Filter/Exclusion: process.name == "backup-script" OR process.parent.name == "backup-service"
Scenario: Development team using Miracl Big constructor for testing user authentication flows
Filter/Exclusion: process.user contains "dev" OR process.parent.name == "test-runner"
Scenario: Miracl Big constructor being used as part of a CI/CD pipeline for deployment
Filter/Exclusion: process.parent.name == "jenkins" OR process.parent.name == "gitlab-runner"