The RsaEuro NN_modMult rule detects potential cryptographic operations associated with RSA key generation, which may indicate the presence of malicious code performing cryptographic computations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats or data exfiltration activities leveraging cryptographic techniques.
YARA Rule
rule RsaEuro_NN_modMult
{ meta:
author = "Maxx"
description = "RsaEuro NN_modMult"
strings:
$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 83 C4 24 5E 81 C4 08 01 00 00 C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Regular system maintenance task using rsync to synchronize files between servers
Filter/Exclusion: process.name != "rsync" or check for process.args containing --backup or --exclude
Scenario: Scheduled backup job using tar to archive logs on a daily basis
Filter/Exclusion: process.name != "tar" or check for process.args containing --exclude or --gzip
Scenario: Admin performing manual certificate rotation using openssl to update RSA keys
Filter/Exclusion: process.name != "openssl" or check for process.args containing --engine or --noout
Scenario: Automated log rotation using logrotate that processes RSA-mod files
Filter/Exclusion: process.name != "logrotate" or check for process.args containing --exclude or --copytruncate
Scenario: Security tool like OSSEC or Snort performing signature-based analysis that includes RSA-related patterns
Filter/Exclusion: process.name != "ossec" and process.name != "snort" or check for process.args containing --exclude or --noalert