The RsaRef2 NN_modExp rule detects potential cryptographic operations associated with RSA key generation or manipulation, which may indicate the use of cryptographic libraries or tools in the environment. SOC teams should proactively hunt for this behavior to identify potential cryptographic attacks or unauthorized key management activities in their Azure Sentinel environment.
YARA Rule
rule RsaRef2_NN_modExp
{ meta:
author = "Maxx"
description = "RsaRef2 NN_modExp"
strings:
$c0 = { 81 EC 1C 02 00 00 53 55 56 8B B4 24 30 02 00 00 57 8B BC 24 44 02 00 00 57 8D 84 24 A4 00 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 4C 02 00 00 57 53 8D 8C 24 B4 00 00 00 56 8D 94 24 3C 01 00 00 51 52 E8 ?? ?? ?? ?? 57 53 8D 84 24 4C 01 00 00 56 8D 8C 24 D4 01 00 00 50 51 E8 ?? ?? ?? ?? 8D 54 24 50 57 52 E8 ?? ?? ?? ?? 8B 84 24 78 02 00 00 8B B4 24 74 02 00 00 50 56 C7 44 24 60 01 00 00 00 E8 ?? ?? ?? ?? 8D 48 FF 83 C4 44 8B E9 89 4C 24 18 85 ED 0F 8C AF 00 00 00 8D 34 AE 89 74 24 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Check for process parent or command line arguments containing veeam or backup.
Example Filter: process.parent.name == "veeam" or process.command_line contains "backup"
Scenario: Regular Windows Update or Group Policy synchronization task
Filter/Exclusion: Filter out processes with parent svchost.exe or wuauserv.exe and command line containing wuau or gpupdate.
Example Filter: process.parent.name == "svchost.exe" and process.command_line contains "wuau" or process.command_line contains "gpupdate"
Scenario: Microsoft SQL Server maintenance job running during off-peak hours
Filter/Exclusion: Filter processes with parent sqlservr.exe and command line containing sqlcmd or sp_updatestats.
Example Filter: process.parent.name == "sqlservr.exe" and process.command_line contains "sqlcmd"
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: Filter processes with parent ansible or command line containing ansible-playbook and specific playbook names.
Example Filter: process.command_line contains "ansible-playbook" and process.command_line contains "config_mgmt"
Scenario: Docker container lifecycle management (e.g., docker-compose or docker run commands)
Filter/Exclusion: Filter processes with parent docker or command line containing docker-compose or docker run.
Example Filter: process.command_line contains "docker-compose" or process.command_line contains "docker run"