Binaries containing RC6 encryption constants may indicate the presence of malicious code using RC6 for encryption or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats or data manipulation activities.
YARA Rule
rule RC6_Constants {
meta:
author = "chort (@chort0)"
description = "Look for RC6 magic constants in binary"
reference = "https://twitter.com/mikko/status/417620511397400576"
reference2 = "https://twitter.com/dyngnosis/status/418105168517804033"
date = "2013-12"
version = "0.2"
strings:
$c1 = { B7E15163 }
$c2 = { 9E3779B9 }
$c3 = { 6351E1B7 }
$c4 = { B979379E }
condition:
2 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A legitimate cryptographic tool is being used to encrypt sensitive data using RC6.
Filter/Exclusion: Exclude files associated with known cryptographic tools like OpenSSL or GnuPG by checking the file path or using a process name filter like process.name != "openssl".
Scenario: A system administrator is running a scheduled job that uses RC6 for data compression or secure logging.
Filter/Exclusion: Exclude processes related to system maintenance tasks by checking the command line arguments or using a process name filter like process.name != "sysadmin_tool".
Scenario: A developer is testing a custom encryption module that uses RC6 as part of a secure application.
Filter/Exclusion: Exclude files from development directories or specific user profiles using a file path filter like file.path != "/home/developer/secure_app/”.
Scenario: A backup utility is using RC6 to encrypt backup archives before storage.
Filter/Exclusion: Exclude files associated with backup tools like Veeam or Commvault by checking the file path or using a process name filter like process.name != "veeam".
Scenario: A network security appliance is configured to use RC6 for secure communication between nodes.
Filter/Exclusion: Exclude network-related binaries or services by checking the process name or using a service name filter like service.name != "network_security_appliance".