The hypothesis is that the detection of RsaRef2 NN_modMult in logs may indicate the presence of cryptographic operations associated with RSA key generation or manipulation, which could be used by adversaries to perform encryption or decryption activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential cryptographic attacks or data exfiltration attempts that may not be detected by traditional security controls.
YARA Rule
rule RsaRef2_NN_modMult
{ meta:
author = "Maxx"
description = "RsaRef2 NN_modMult"
strings:
$c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 68 08 01 00 00 8D 4C 24 2C 6A 00 51 E8 ?? ?? ?? ?? 83 C4 30 5E 81 C4 08 01 00 00 C3 }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Regular system maintenance task using rsync to synchronize files between servers
Filter/Exclusion: process.name != "rsync" or check for process.parent.name == "systemd" and process.name == "rsync"
Scenario: Scheduled backup job using tar and gzip to archive database files
Filter/Exclusion: process.name != "tar" or check for process.parent.name == "cron" and process.name == "tar"
Scenario: Admin performing manual log analysis using less or grep on log files
Filter/Exclusion: process.name != "less" or process.name != "grep" or check for process.parent.name == "bash" and process.args contains "grep"
Scenario: Automated script running under cron to clean up temporary files
Filter/Exclusion: process.parent.name == "cron" and process.name == "sh" with args contains "clean_temp.sh"
Scenario: System update using apt or yum that involves cryptographic operations
Filter/Exclusion: process.name != "apt" or process.name != "yum" or check for process.parent.name == "systemd" and process.name == "apt" with args contains "upgrade"