The RsaPrivateDecrypt detection rule identifies potential RSA private key decryption activity, which could indicate an adversary attempting to decrypt sensitive data or exfiltrate information. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of cryptographic attacks or data compromise.
YARA Rule
rule RsaRef2_RsaPrivateDecrypt
{ meta:
author = "Maxx"
description = "RsaRef2 RsaPrivateDecrypt"
strings:
$c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8B 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6B 8A 4C 24 09 B8 02 00 00 00 3A C8 75 5E 8D 4E FF 3B C8 76 0D 8A 54 04 08 84 D2 74 05 40 3B C1 72 F3 40 3B C6 73 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A 8D 51 0B }
condition:
$c0
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Regular RSA private key decryption during secure communication (e.g., TLS handshake)
Filter/Exclusion: Check for process.name containing openssl or OpenSSL and ensure the process.args includes s_server or s_client for legitimate TLS testing.
Scenario: Scheduled job using openssl to decrypt encrypted backups
Filter/Exclusion: Filter by process.name equals openssl and process.args contains decrypt and file.path matches known backup directories (e.g., /backup/).
Scenario: System administrators using ssh to decrypt SSH keys during key management
Filter/Exclusion: Filter by process.name equals ssh and process.args includes ssh-keygen or ssh-add, and check for user.name being a known admin user.
Scenario: Use of gpg to decrypt files during routine data processing
Filter/Exclusion: Filter by process.name equals gpg and process.args includes --decrypt, and verify the file.path is within a known data processing directory (e.g., /data/processing/).
Scenario: Enterprise application using Java to decrypt data at rest with RSA
Filter/Exclusion: Filter by process.name containing java and process.args includes -Djavax.net.ssl.keyStore, and ensure the file.path is within the application’s secure data directory (e.g., /app/data/secure/).