The rc4_stack_key rule detects potential exfiltration of cryptographic keys from memory, which could indicate an adversary leveraging stolen credentials or decrypting sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage data compromise or lateral movement attempts.
YARA Rule
rule rc4_stack_key_fallchill
{
meta:
description = "rc4_stack_key"
ref = "https://www.us-cert.gov/ncas/alerts/TA17-318A"
strings:
$stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System backup using Veeam Backup & Replication
Filter/Exclusion: Check for the presence of veeam in the process name or command line arguments.
Example Filter: process.name != "veeam"
Scenario: Scheduled system maintenance task using Task Scheduler
Filter/Exclusion: Filter out tasks associated with the Task Scheduler service.
Example Filter: process.parent.name == "schtasks.exe"
Scenario: Network device configuration using Cisco ASA CLI
Filter/Exclusion: Exclude processes related to Cisco ASDM or Cisco CLI tools.
Example Filter: process.name != "ciscoasa" && process.name != "asdm"
Scenario: Database backup using MySQL
Filter/Exclusion: Identify and exclude processes related to mysqldump or MySQL backup utilities.
Example Filter: process.name != "mysqldump"
Scenario: Log management using Splunk
Filter/Exclusion: Exclude processes related to Splunk Forwarder or Splunk Indexer.
Example Filter: process.name != "splunkforwarder" && process.name != "splunkd"