The RijnDael AES detection rule identifies potential use of a custom AES encryption algorithm, which may indicate adversarial data exfiltration or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced threats that leverage custom cryptographic techniques to evade standard detection methods.
YARA Rule
rule RijnDael_AES
{ meta:
author = "_pusher_"
description = "RijnDael AES"
date = "2016-06"
strings:
$c0 = { A5 63 63 C6 84 7C 7C F8 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by veeambackup.exe or tasks scheduled via Task Scheduler with the task name containing “Veeam Backup”.
Scenario: Admin Task for Disk Encryption Using BitLocker
Filter/Exclusion: Exclude processes associated with manage-bde.exe or tasks initiated by the BitLocker management console (bitlocker.msc).
Scenario: Automated Log Rotation Using Logrotate on Linux
Filter/Exclusion: Exclude processes running under the logrotate user or with command lines containing /usr/sbin/logrotate.
Scenario: Database Encryption Key Management Using Oracle Wallet Manager
Filter/Exclusion: Exclude processes initiated by orapki or tasks related to Oracle Wallet Management (owm).
Scenario: Secure File Transfer Using SCP or SFTP
Filter/Exclusion: Exclude processes using scp, sftp, or ssh with known legitimate user credentials and destination paths within the enterprise file system.