Look for WhirlPool constants

Hunt Hypothesis

The detection rule identifies potential use of WhirlPool cryptographic constants, which may indicate the presence of malicious code leveraging specific cryptographic patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover advanced persistent threats that may be using these constants for data exfiltration or encryption activities.

YARA Rule

rule WHIRLPOOL_Constants {
	meta:
		author = "phoul (@phoul)"
		description = "Look for WhirlPool constants"
		date = "2014-02"
		version = "0.1"
	strings:
		$c0 = { 18186018c07830d8 }
		$c1 = { d83078c018601818 }
		$c2 = { 23238c2305af4626 }
		$c3 = { 2646af05238c2323 }
	condition:
		2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using Veeam Backup & Replication
  Description: A legitimate scheduled backup job using Veeam may include strings that resemble WhirlPool constants during log processing or data transfer.
  Filter/Exclusion: Exclude processes related to veeam or VeeamBackup using the process.name field:

  process.name != "veeam" AND process.name != "VeeamBackup"

• Scenario: Admin Task Using PowerShell for Log Analysis
  Description: An administrator may run a PowerShell script that includes hardcoded strings similar to WhirlPool constants for log parsing or analysis.
  Filter/Exclusion: Exclude PowerShell scripts by checking the process.name field:

  process.name != "powershell.exe"

• Scenario: Database Migration Using Oracle Data Pump
  Description: During a database migration, Oracle Data Pump might generate logs or temporary files that contain strings resembling WhirlPool constants.
  Filter/Exclusion: Exclude processes related to expdp or impdp using the process.name field:

  process.name != "expdp" AND process.name != "impdp"

• Scenario: Software Update Using Microsoft Endpoint Configuration Manager (MECM)
  Description: MECM may include strings that look like WhirlPool constants during package deployment or update processes.
  Filter/Exclusion: Exclude processes related to CCMSetup or SCCM using the process.name field:

  process.name != "CCMSetup.exe" AND process.name != "SCCM"

• Scenario: Log Aggregation Using Splunk Forwarder
  Description: The Splunk Universal Forwarder may include strings that match WhirlPool