Adversaries may use specific IVs in cryptographic algorithms like SHA2, BLAKE2, or Argon2 to mask or manipulate data during encryption or hashing operations. Proactively hunting for these IVs in Azure Sentinel can help identify potential data tampering or exfiltration attempts that evade standard detection mechanisms.
YARA Rule
rule SHA2_BLAKE2_IVs {
meta:
author = "spelissier"
description = "Look for SHA2/BLAKE2/Argon2 IVs"
date = "2019-12"
version = "0.1"
strings:
$c0 = { 67 E6 09 6A }
$c1 = { 85 AE 67 BB }
$c2 = { 72 F3 6E 3C }
$c3 = { 3A F5 4F A5 }
$c4 = { 7F 52 0E 51 }
$c5 = { 8C 68 05 9B }
$c6 = { AB D9 83 1F }
$c7 = { 19 CD E0 5B }
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: System backup process using rsync with SHA256 checksums
Filter/Exclusion: Exclude processes related to rsync or tar with known backup directories (e.g., /backup, /var/backups).
Scenario: Scheduled job using ansible to push configuration files with SHA256 hashes
Filter/Exclusion: Exclude processes initiated by ansible or related to configuration management tasks (e.g., /etc/ansible, /etc/ansible/playbooks).
Scenario: Admin task using openssl to generate secure hashes for certificate verification
Filter/Exclusion: Exclude processes involving openssl and known certificate directories (e.g., /etc/ssl/certs, /usr/local/share/ca-certificates).
Scenario: Log analysis tool using logrotate with BLAKE2 checksums for log integrity
Filter/Exclusion: Exclude processes related to logrotate or log management tools (e.g., /etc/logrotate.d, /var/log).
Scenario: Database backup using pg_dump with Argon2 hashing for password storage
Filter/Exclusion: Exclude processes involving pg_dump or PostgreSQL configuration files (e.g., pg_hba.conf, postgresql.conf).