Miracl powmod

Hunt Hypothesis

The Miracl powmod rule detects potential adversary use of a cryptographic library to perform modular exponentiation, which may indicate the use of custom encryption or obfuscation techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats leveraging cryptographic anomalies for data exfiltration or persistence.

YARA Rule

rule Miracl_powmod
{	meta:
		author = "Maxx"
		description = "Miracl powmod"
	strings:
		$c0 = { 53 55 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 0F 85 EC 01 00 00 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 12 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 06 8B 4E 10 3B C1 74 2E 8B 7C 24 1C 57 E8 ?? ?? ?? ?? 83 C4 04 83 F8 02 7C 33 8B 57 04 8B 0E 51 8B 02 50 E8 ?? ?? ?? ?? 83 C4 08 83 F8 01 0F 84 58 01 00 00 EB 17 8B 7C 24 1C 6A 02 57 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 3F 01 00 00 8B 8E C4 01 00 00 8B 54 24 18 51 52 E8 ?? ?? ?? ?? 8B 86 CC }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled job running powmod as part of a cryptographic key generation process
  Filter/Exclusion: process.parent_process_name == "keytool" OR process.parent_process_name == "openssl"

• Scenario: System administrator using Miracl library for secure authentication during user login
  Filter/Exclusion: process.name == "miracl_auth_service" OR process.user == "root" AND process.command_line CONTAINS "auth"

• Scenario: Automated backup tool using Miracl for secure data encryption during backup operations
  Filter/Exclusion: process.name == "backup_tool" AND process.command_line CONTAINS "encrypt" OR process.user == "backup_user"

• Scenario: Development environment running Miracl-based cryptographic tests
  Filter/Exclusion: process.name == "test_miracl" OR process.command_line CONTAINS "unittest" OR process.user == "dev_user"

• Scenario: Regular system maintenance task using Miracl for secure logging or audit purposes
  Filter/Exclusion: process.name == "audit_tool" OR process.command_line CONTAINS "log" OR process.user == "sysadmin"