Look for RIPEMD-160 constants

Hunt Hypothesis

The detection rule identifies potential use of RIPEMD-160 cryptographic constants, which may indicate adversarial activity involving custom or obfuscated code. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy malware or data exfiltration techniques that leverage RIPEMD-160 for obfuscation or encryption.

YARA Rule

rule RIPEMD160_Constants {
	meta:
		author = "phoul (@phoul)"
		description = "Look for RIPEMD-160 constants"
		date = "2014-01"
		version = "0.1"
	strings:
		$c0 = { 67452301 }
		$c1 = { EFCDAB89 }
		$c2 = { 98BADCFE }
		$c3 = { 10325476 }
		$c4 = { C3D2E1F0 }
		$c5 = { 01234567 }
		$c6 = { 89ABCDEF }
		$c7 = { FEDCBA98 }
		$c8 = { 76543210 }
		$c9 = { F0E1D2C3 }
	condition:
		5 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Hashes from legitimate software installation packages
  Description: RIPEMD-160 hashes may appear in software installation packages or configuration files during deployment.
  Filter/Exclusion: Exclude hashes found in known software distribution directories (e.g., /opt/software/, /usr/local/bin/) or files containing known software hashes (e.g., checksums.txt, MD5SUMS).

• Scenario: System integrity monitoring tools generating hashes
  Description: Tools like AIDE or Tripwire may generate RIPEMD-160 hashes as part of their baseline integrity checks.
  Filter/Exclusion: Exclude hashes found in system integrity monitoring tool configuration or log files (e.g., /var/lib/aide/, /var/log/tripwire/).

• Scenario: Scheduled backup jobs using RIPEMD-160 for integrity checks
  Description: Backup tools such as rsync or Veeam may use RIPEMD-160 for file integrity verification during backups.
  Filter/Exclusion: Exclude hashes found in backup directories or logs (e.g., /backup/, /var/log/backup/) or files with known backup-related hash patterns.

• Scenario: Admin tasks involving cryptographic hash generation
  Description: System administrators may manually generate RIPEMD-160 hashes for verification purposes, such as during file validation or forensic analysis.
  Filter/Exclusion: Exclude hashes found in admin task logs (e.g., /var/log/admin_tasks/, /root/), or in files with known administrative use (e.g., hashes.txt, verification_logs.txt).

• Scenario: Legacy system compatibility or interoperability checks
  Description: Older systems or protocols may still use RIPEMD-160 for compatibility, especially in environments with legacy applications or