The OpenSSL BN_mod_exp2_mont function may indicate potential exploitation of cryptographic vulnerabilities, as anomalous usage patterns could suggest attempts to perform unauthorized computations on sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential cryptographic attacks that could compromise data integrity and confidentiality.
YARA Rule
rule OpenSSL_BN_mod_exp2_mont
{ meta:
author = "Maxx"
description = "OpenSSL BN_mod_exp2_mont"
strings:
$c0 = { B8 30 05 00 00 E8 ?? ?? ?? ?? 8B 84 24 48 05 00 00 53 33 DB 56 8B 08 57 89 5C 24 24 89 5C 24 30 8A 01 89 5C 24 28 A8 01 89 5C 24 0C 75 24 68 89 00 00 00 68 ?? ?? ?? ?? 6A 66 6A 76 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 30 05 00 00 C3 8B 94 24 48 05 00 00 52 E8 ?? ?? ?? ?? 8B F0 8B 84 24 54 05 00 00 50 E8 ?? ?? ?? ?? 83 C4 08 3B F3 8B F8 75 20 3B FB 75 1C 8B 8C 24 40 05 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 30 05 00 00 C3 3B F7 89 74 24 18 7F 04 89 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System update or patching using apt or yum
Filter/Exclusion: Check for process names like apt, yum, or dnf in the process tree.
Example Filter: process.name != "apt" and process.name != "yum"
Scenario: Scheduled job running OpenSSL-based encryption tool (e.g., openssl speed or openssl rsautl)
Filter/Exclusion: Exclude processes associated with scheduled tasks or known encryption utilities.
Example Filter: process.name != "openssl" or process.command_line not contains "speed" and not contains "rsautl"
Scenario: Admin task involving certificate generation or management using OpenSSL
Filter/Exclusion: Filter out processes related to certificate management, such as openssl req or openssl x509.
Example Filter: process.name != "openssl" or process.command_line not contains "req" and not contains "x509"
Scenario: Automated backup or data transfer using secure protocols (e.g., scp, sftp, or rsync with SSH)
Filter/Exclusion: Exclude processes using secure file transfer tools that may invoke OpenSSL internally.
Example Filter: process.name != "scp" and process.name != "sftp" and process.name != "rsync"
Scenario: Internal monitoring or logging tool using OpenSSL for secure communication (e.g., telegraf, prometheus, or elasticsearch)
Filter/Exclusion: Exclude known monitoring or logging tools that use OpenSSL for secure transport.
Example Filter: process.name != "telegraf" and process.name != "elasticsearch" and process.name != "prometheus"