RsaRef2 RsaPublicDecrypt

Hunt Hypothesis

The RsaRef2 RsaPublicDecrypt detection rule identifies potential cryptographic operations that may indicate an adversary attempting to decrypt data using RSA public key decryption, which could be part of a data exfiltration or decryption effort. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of advanced persistent threats leveraging cryptographic techniques to access or manipulate sensitive information.

YARA Rule

rule RsaRef2_RsaPublicDecrypt
{	meta:
		author = "Maxx"
		description = "RsaRef2 RsaPublicDecrypt"
	strings:
		$c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8E 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6E 80 7C 24 09 01 75 67 B8 02 00 00 00 8D 4E FF 3B C8 76 0D B2 FF 38 54 04 08 75 05 40 3B C1 72 F5 8A 4C 04 08 40 84 C9 75 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Job Using RsaPublicDecrypt
  Description: A legitimate backup process may use RSA decryption for secure data transfer.
  Filter/Exclusion: process.name != "backuptool.exe" or process.name != "vssadmin.exe"

• Scenario: Administrative Task Involving Secure Credential Handling
  Description: An admin might use RSA decryption to handle encrypted credentials during a configuration task.
  Filter/Exclusion: process.name != "mmc.exe" or process.name != "certutil.exe"

• Scenario: Logon Process with Encrypted Passwords
  Description: During user logon, encrypted passwords may be decrypted using RSA for authentication.
  Filter/Exclusion: process.name != "lsass.exe" or process.name != "logonui.exe"

• Scenario: Encrypted File Access via Third-Party Tool
  Description: A legitimate tool like 7-Zip or WinRAR may decrypt RSA-encrypted files as part of archive operations.
  Filter/Exclusion: process.name != "7z.exe" or process.name != "winrar.exe"

• Scenario: Secure Communication with Encrypted Payloads
  Description: A legitimate application like TLS/SSL-enabled service may use RSA decryption for secure communication.
  Filter/Exclusion: process.name != "nginx.exe" or process.name != "openssl.exe"