The detection of SHA-3 (Keccak) interleaved round constants may indicate the use of custom cryptographic implementations or obfuscation techniques by adversaries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats or data exfiltration attempts leveraging cryptographic anomalies.
YARA Rule
rule SHA3_interleaved {
meta:
author = "spelissier"
description = "SHA-3 (Keccak) interleaved round constants"
date = "2020-04"
version = "0.1"
strings:
$c0 = { 010000008b800000 }
$c1 = { 0000000081000080 }
$c2 = { 0000000088000080 }
$c3 = { 000000000b000000 }
$c4 = { 0100000000800000 }
$c5 = { 010000008b000000 }
$c6 = { 0100000082800000 }
$c7 = { 0000000003800000 }
$c8 = { 010000008a000080 }
$c9 = { 0000000082800080 }
$c10 = { 0000000003800080 }
$c11 = { 000000008b000080 }
$c12 = { 0000000083000000 }
$c13 = { 000000000a000000 }
$c14 = { 0000000080800080 }
$c15 = { 0100000082000080 }
$c16 = { 010000000b000080 }
$c17 = { 0100000088800080 }
$c18 = { 0000000008000080 }
$c19 = { 0100000000000000 }
$c20 = { 0000000089000000 }
$c21 = { 0100000081000080 }
condition:
10 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 22 string patterns in its detection logic.
Scenario: Scheduled backup job using rsync or Veeam
Description: A backup process may generate large volumes of data that include patterns resembling SHA-3 round constants due to the nature of data transfer or compression.
Filter/Exclusion: Exclude traffic from known backup tools (e.g., rsync, Veeam, Commvault) or IP addresses associated with internal backup servers.
Scenario: Log aggregation using Fluentd or Logstash
Description: Log aggregation tools may process large volumes of data that include binary or encoded content, which could falsely match the SHA-3 round constant pattern.
Filter/Exclusion: Exclude traffic from log aggregation tools (e.g., Fluentd, Logstash, Splunk) or specific log processing pipelines.
Scenario: Disk imaging or forensic tools like dd or FTK Imager
Description: Disk imaging processes may capture raw disk data that includes patterns similar to SHA-3 round constants, especially when imaging encrypted or binary files.
Filter/Exclusion: Exclude traffic from disk imaging tools (e.g., dd, FTK Imager, EnCase) or processes associated with forensic analysis.
Scenario: Scheduled system updates using Ansible or Chef
Description: System update jobs may transfer binary files or use cryptographic operations that generate data resembling SHA-3 round constants.
Filter/Exclusion: Exclude traffic from configuration management tools (e.g., Ansible, Chef, Puppet) or IP addresses associated with update servers.
Scenario: Internal data encryption or key management using Vault or KMS
Description: Key management systems may process cryptographic data that includes patterns matching the SHA-3 round constants during encryption