The Miracl crt rule detects potential credential theft or unauthorized access attempts by monitoring unusual certificate-related activities that may indicate an adversary leveraging stolen credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to deeper network infiltration.
YARA Rule
rule Miracl_crt
{ meta:
author = "Maxx"
description = "Miracl crt"
strings:
$c0 = { 51 56 57 E8 ?? ?? ?? ?? 8B 74 24 10 8B F8 89 7C 24 08 83 7E 0C 02 0F 8C 99 01 00 00 8B 87 18 02 00 00 85 C0 0F 85 8B 01 00 00 8B 57 1C 42 8B C2 89 57 1C 83 F8 18 7D 17 C7 44 87 20 4A 00 00 00 8B 87 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 46 04 8B 54 24 14 53 55 8B 08 8B 02 51 50 E8 ?? ?? ?? ?? 8B 4E 0C B8 01 00 00 00 83 C4 08 33 ED 3B C8 89 44 24 18 0F 8E C5 00 00 00 BF 04 00 00 00 8B 46 04 8B 0C 07 8B 10 8B 44 24 1C 51 52 8B 0C 07 51 E8 ?? ?? ?? ?? 8B 56 04 8B 4E 08 8B 04 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: process.parent_process_name != "veeambackup" or process.name != "vmbackup.exe"
Scenario: Administrative task to update Miracl CRT certificate on a server
Filter/Exclusion: process.command_line contains "update-cert" or process.user contains "domain\administrator"
Scenario: Regular maintenance job using PowerShell to clean temporary files
Filter/Exclusion: process.name contains "powershell.exe" and process.command_line contains "Clear-Item"
Scenario: User-initiated certificate import via Microsoft Management Console (MMC)
Filter/Exclusion: process.name contains "mmc.exe" and process.command_line contains "certmgr.msc"
Scenario: Automated certificate renewal using Let’s Encrypt and Certbot
Filter/Exclusion: process.name contains "certbot.exe" or process.command_line contains "renew"