The detection rule identifies potential adversary behavior involving the RijnDael AES S-inv [char] cryptographic technique, which may indicate the use of custom encryption methods to exfiltrate or obscure data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage custom cryptographic routines to evade traditional detection mechanisms.
YARA Rule
rule RijnDael_AES_CHAR_inv
{ meta:
author = "_pusher_"
description = "RijnDael AES S-inv [char]"
//needs improvement
date = "2016-07"
strings:
$c0 = { 48 38 47 00 88 17 33 D2 8A 56 0D 8A 92 48 38 47 00 88 57 01 33 D2 8A 56 0A 8A 92 48 38 47 00 88 57 02 33 D2 8A 56 07 8A 92 48 38 47 00 88 57 03 33 D2 8A 56 04 8A 92 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with veeambackup.exe or check for the presence of Veeam in the process name or command line.
Scenario: Regular Windows Update or Group Policy synchronization task
Filter/Exclusion: Exclude processes with wuauclt.exe or gpolisten.exe in the process name, or filter by the presence of Windows Update in the command line.
Scenario: Log management tool such as Splunk or ELK Stack performing data ingestion
Filter/Exclusion: Exclude processes related to splunkd.exe, logstash, or fluentd based on process name or command line arguments.
Scenario: Database backup using SQL Server Agent Job
Filter/Exclusion: Exclude processes with sqlservr.exe or check for the presence of BACKUP DATABASE in the command line or task description.
Scenario: Antivirus or endpoint protection tool performing a full system scan (e.g., Kaspersky, Bitdefender)
Filter/Exclusion: Exclude processes with kavsvc.exe, bdagent.exe, or similar names, or filter by the presence of Scan or Full Scan in the command line.