The detection rule identifies potential adversary use of SHA-3 (Keccak) round constants, which may indicate cryptographic manipulation or obfuscation techniques. SOC teams should proactively hunt for this behavior to uncover advanced persistent threats leveraging cryptographic anomalies in their Azure Sentinel environment.
YARA Rule
rule SHA3_constants {
meta:
author = "spelissier"
description = "SHA-3 (Keccak) round constants"
date = "2020-04"
version = "0.1"
strings:
$c0 = { 0080008000000080 }
$c1 = { 0a00008000000080 }
$c2 = { 8080000000000080 }
$c3 = { 8b00000000000080 }
$c4 = { 8280000000000000 }
$c5 = { 8980000000000080 }
$c6 = { 0880008000000080 }
$c7 = { 0980008000000000 }
$c8 = { 0280000000000080 }
$c9 = { 0a00008000000000 }
$c10 = { 0380000000000080 }
$c11 = { 8b80000000000000 }
$c12 = { 0100008000000000 }
$c13 = { 0a80000000000000 }
$c14 = { 0980000000000080 }
$c15 = { 8000000000000080 }
$c16 = { 8800000000000000 }
$c17 = { 8b80008000000000 }
$c18 = { 8a00000000000000 }
$c19 = { 8180008000000080 }
$c20 = { 0100000000000000 }
$c21 = { 8a80000000000080 }
condition:
10 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 22 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to script a routine system cleanup, and the script includes a string that resembles SHA-3 round constants due to a hardcoded value for testing purposes.
Filter/Exclusion: Exclude processes initiated by powershell.exe with a command line containing "test" or "script" in the command line arguments.
Scenario: A scheduled backup job using Veeam Backup & Replication generates temporary files or logs that contain hex values similar to SHA-3 round constants.
Filter/Exclusion: Exclude processes with the parent process name veeam.exe or filter by the process name backupjob.exe.
Scenario: A network security tool like Wireshark is capturing and analyzing raw packet data, which includes hex values that match SHA-3 round constants.
Filter/Exclusion: Exclude processes with the name wireshark.exe or filter by the presence of the --capture or --decode command line flags.
Scenario: A devops pipeline using Jenkins runs a script that generates test data with hex values that look like SHA-3 constants.
Filter/Exclusion: Exclude processes with the parent process name jenkins.exe or filter by the presence of the --test or --simulate flags in the command line.
Scenario: A log analysis tool like ELK Stack (Elasticsearch, Logstash, Kibana) processes logs that include hex strings used for debugging or logging purposes, which may resemble SHA-3 round constants.
Filter/Exclusion: Exclude processes with the name logstash.exe or filter by the presence of the --debug or --log flags in the command line.