Adversaries may use known Elliptic curve orders to exploit cryptographic weaknesses in TLS implementations, potentially enabling man-in-the-middle attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential cryptographic vulnerabilities and mitigate associated risks.
YARA Rule
rule ecc_order {
meta:
author = "spelissier"
description = "Look for known Elliptic curve orders"
date = "2021-07"
version = "0.2"
strings:
$secp192k1 = { FF FF FF FF FF FF FF FF FF FF FF FE 26 F2 FC 17 0F 69 46 6A 74 DE FD 8D}
$secp192r1 = { FF FF FF FF FF FF FF FF FF FF FF FF 99 DE F8 36 14 6B C9 B1 B4 D2 28 31}
$secp224k1 = { 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 DC E8 D2 EC 61 84 CA F0 A9 71 76 9F B1 F7}
$secp224r1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF 16 A2 E0 B8 F0 3E 13 DD 29 45 5C 5C 2A 3D}
$secp256k1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FE BA AE DC E6 AF 48 A0 3B BF D2 5E 8C D0 36 41 41 }
$prime256v1 = { FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25 51 }
$secp384r1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C7 63 4D 81 F4 37 2D DF 58 1A 0D B2 48 B0 A7 7A EC EC 19 6A CC C5 29 73 }
$bls12_381_r = { 01 00 00 00 FF FF FF FF FE 5B FE FF 02 A4 BD 53 05 D8 A1 09 08 D8 39 33 48 7D 9D 29 53 A7 ED 73}
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: A system administrator is using OpenSSL to generate a new TLS certificate and the elliptic curve order is being output during the key generation process.
Filter/Exclusion: Exclude processes related to openssl or filter by process name using process.name != "openssl".
Scenario: A scheduled job runs a script that uses Python’s cryptography library to validate elliptic curve parameters for cryptographic compliance checks.
Filter/Exclusion: Exclude processes associated with scheduled jobs or filter by process.name != "python" or use a custom tag for compliance checks.
Scenario: A network monitoring tool like Wireshark or tcpdump captures and analyzes packets containing elliptic curve parameters during a security audit.
Filter/Exclusion: Exclude traffic from known monitoring tools by checking the source or destination IP, or filter by process.name != "tcpdump" or process.name != "wireshark".
Scenario: An IT security tool such as CrowdStrike or Microsoft Defender performs a deep scan of system files and encounters elliptic curve data in a legitimate cryptographic library.
Filter/Exclusion: Exclude processes related to endpoint security tools or filter by process.name != "CrowdStrike" or process.name != "MsDefender".
Scenario: A system update or patching tool like Ansible or Chef deploys a package that includes cryptographic libraries, and the elliptic curve order is logged during installation.
Filter/Exclusion: Exclude processes related to configuration management tools or filter by process.name != "ansible" or process.name != "chef".