Look for SHA384/SHA512 constants

Hunt Hypothesis

The detection rule identifies potential adversary use of SHA384 or SHA512 cryptographic constants, which may indicate obfuscation or encoding techniques used in malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover hidden malicious activity that may evade traditional detection methods.

YARA Rule

rule SHA512_Constants {
	meta:
		author = "phoul (@phoul)"
		description = "Look for SHA384/SHA512 constants"
		date = "2014-01"
		version = "0.1"
	strings:
		$c0 = { 428a2f98 }
		$c1 = { 982F8A42 }
		$c2 = { 71374491 }
		$c3 = { 91443771 }
		$c4 = { B5C0FBCF }
		$c5 = { CFFBC0B5 }
		$c6 = { E9B5DBA5 }
		$c7 = { A5DBB5E9 }
		$c8 = { D728AE22 }
		$c9 = { 22AE28D7 }
	condition:
		5 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system backup tool (e.g., Veeam Backup & Replication) uses SHA512 for data integrity checks during backup jobs.
  Filter/Exclusion: Exclude processes related to backup tools using process.name or process.args containing “Veeam” or “backup”.

• Scenario: A scheduled job (e.g., cron or Task Scheduler) runs a script that hashes files using SHA384 as part of a compliance check.
  Filter/Exclusion: Exclude processes with process.name matching “cron” or “schtasks” and filter by known compliance scripts.

• Scenario: A system administrator manually runs a hash verification command (e.g., sha512sum) to validate file integrity.
  Filter/Exclusion: Exclude processes where process.name is sh or bash and command_line contains “sha512sum” or “sha384sum”.

• Scenario: A configuration management tool (e.g., Ansible, Chef) uses SHA512 for checksum validation of packages during deployment.
  Filter/Exclusion: Exclude processes with process.name containing “ansible” or “chef” and filter by known package validation commands.

• Scenario: A security tool (e.g., CrowdStrike, SentinelOne) includes SHA384/SHA512 constants in its signature database for threat detection.
  Filter/Exclusion: Exclude processes with process.name matching the security tool’s agent name and filter by known signature databases.