RsaRef2 RsaPublicEncrypt

Hunt Hypothesis

The RsaRef2 RsaPublicEncrypt rule detects potential RSA public key encryption activity, which may indicate an adversary using encryption to exfiltrate data or establish a secure communication channel. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage encryption-based attacks that could evade traditional detection methods.

YARA Rule

rule RsaRef2_RsaPublicEncrypt
{	meta:
		author = "Maxx"
		description = "RsaRef2 RsaPublicEncrypt"
	strings:
		$c0 = { 8B 44 24 14 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 57 8B 38 83 C7 07 8D 4B 0B C1 EF 03 3B CF 76 0E 5F B8 06 04 00 00 5B 81 C4 84 00 00 00 C3 8B D7 55 2B D3 56 BE 02 00 00 00 C6 44 24 14 00 8D 6A FF C6 44 24 15 02 3B EE 76 28 8B 84 24 AC 00 00 00 8D 4C 24 13 50 6A 01 51 E8 ?? ?? ?? ?? 8A 44 24 1F 83 C4 0C 84 C0 74 E1 88 44 34 14 46 3B F5 72 D8 8B 94 24 A0 00 00 00 53 8D 44 34 19 52 50 C6 44 34 20 00 E8 ?? ?? ?? ?? 8B 8C 24 B4 00 00 00 8B 84 24 A8 00 00 00 51 8B 8C 24 A8 00 }
	condition:
		$c0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Job Using RSA Encryption
  Description: A legitimate backup tool (e.g., Veeam, Acronis) may use RSA encryption during secure data transfer.
  Filter/Exclusion: process.name != "veeam.exe" || process.name != "acronis.exe"

• Scenario: Administrative Task Using Secure Remote Access (e.g., SSH with RSA)
  Description: An admin may use SSH with RSA public key authentication to access a server.
  Filter/Exclusion: process.name != "ssh.exe" || process.name != "openssh.exe"

• Scenario: Email Client Encrypting Emails with RSA (e.g., Thunderbird with S/MIME)
  Description: A user may encrypt an email using RSA public key encryption via an email client like Thunderbird.
  Filter/Exclusion: process.name != "thunderbird.exe" || process.name != "msoutl.exe"

• Scenario: Database Backup Tool Encrypting Data at Rest (e.g., Oracle Secure Backup)
  Description: A database backup tool may use RSA encryption to secure backup files.
  Filter/Exclusion: process.name != "obkbackup.exe" || process.name != "oracle.exe"

• Scenario: Log Management Tool Encrypting Logs (e.g., Splunk with TLS)
  Description: A log management tool may use RSA encryption during secure log transmission.
  Filter/Exclusion: process.name != "splunk.exe" || process.name != "logstash.exe"