The OpenSSL BN_mod_exp_mont detection rule identifies potential exploitation of a cryptographic library vulnerability that could lead to unauthorized data decryption or key exposure. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging cryptographic weaknesses.
YARA Rule
rule OpenSSL_BN_mod_exp_mont
{ meta:
author = "Maxx"
description = "OpenSSL BN_mod_exp_mont"
strings:
$c0 = { B8 A0 02 00 00 E8 ?? ?? ?? ?? 53 56 57 8B BC 24 BC 02 00 00 33 F6 8B 07 89 74 24 24 89 74 24 20 89 74 24 0C F6 00 01 75 24 68 72 01 00 00 68 ?? ?? ?? ?? 6A 66 6A 6D 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 A0 02 00 00 C3 8B 8C 24 B8 02 00 00 51 E8 ?? ?? ?? ?? 8B D8 83 C4 04 3B DE 89 5C 24 18 75 1C 8B 94 24 B0 02 00 00 6A 01 52 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 A0 02 00 00 C3 55 8B AC 24 C4 02 00 00 55 E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 8B F0 55 89 74 24 24 E8 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Regular TLS handshake between internal services
Filter/Exclusion: process.name != "openssl" || process.name == "openssl" && process.args contains "s_server"
Explanation: Legitimate TLS handshakes using OpenSSL’s s_server for internal testing or internal service communication may trigger the rule. Excluding known internal tools or checking for specific command-line arguments can help reduce false positives.
Scenario: Scheduled system certificate renewal using certbot or openssl
Filter/Exclusion: process.name == "certbot" || process.name == "openssl" && process.args contains "x509"
Explanation: Certificate renewal processes often involve OpenSSL commands like x509 or req, which may be flagged by the rule. Filtering by known certificate management tools can help identify legitimate activity.
Scenario: Admin task: Generating SSH keys using ssh-keygen with OpenSSL backend
Filter/Exclusion: process.name == "ssh-keygen" || process.name == "openssl" && process.args contains "genpkey"
Explanation: The ssh-keygen tool may use OpenSSL under the hood to generate keys, which could trigger the rule. Filtering by the ssh-keygen process name or specific OpenSSL commands can help exclude this activity.
Scenario: Automated backup job using rsync or tar with OpenSSL encryption
Filter/Exclusion: process.name == "rsync" || process.name == "tar" && process.args contains "openssl"
Explanation: Backup jobs may use OpenSSL for encrypted backups, leading to the rule being triggered. Identifying backup tools and their command-line arguments can help distinguish between legitimate and malicious activity.
Scenario: Internal development using openssl s_client for testing
Filter/Exclusion: `process.name == “openssl” && process