The detection rule identifies potential RijnDael AES encryption activity, which may indicate the presence of a cryptomining adversary leveraging this algorithm for data exfiltration or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage cryptomining operations that could evade traditional detection methods.
YARA Rule
rule RijnDael_AES_CHAR
{ meta:
author = "_pusher_"
description = "RijnDael AES (check2) [char]"
date = "2016-06"
strings:
$c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled backup job using Veeam Backup & Replication
Description: The backup process may involve AES encryption of data during transfer or storage.
Filter/Exclusion: process.name != "VeeamBackup.exe"
Scenario: Windows Task Scheduler running a PowerShell script for system maintenance
Description: A legitimate script may use AES encryption for secure data handling or logging.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "schtasks.exe"
Scenario: Microsoft SQL Server using AES encryption for database backups
Description: SQL Server may encrypt backup files using AES during the backup process.
Filter/Exclusion: process.name != "sqlservr.exe" OR process.args NOT LIKE '%BACKUP%'
Scenario: Admin using OpenSSL to encrypt sensitive configuration files
Description: System administrators may use OpenSSL to encrypt configuration files for secure storage.
Filter/Exclusion: process.name != "openssl.exe" OR process.args NOT LIKE '/encrypt%'
Scenario: Log management tool (e.g., Splunk) encrypting logs for secure transmission
Description: Log data may be encrypted using AES before being sent to a secure log repository.
Filter/Exclusion: process.name != "splunkd.exe" OR process.args NOT LIKE '/encrypt%'