data-manipulation/encryption/rc4
rule:
meta:
name: encrypt data using RC4 with custom key via WinAPI
namespace: data-manipulation/encryption/rc4
authors:
- blaine.stancill@mandiant.com
scopes:
static: function
dynamic: unsupported # requires bytes features
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
- Cryptography::Encrypt Data::RC4 [C0027.009]
references:
- https://www.phdcc.com/cryptorc4.htm
examples:
- 4E9C546A54E40D0DA89BB4616DD7F8C4:0x140007B70
- A563C50C5FA0FD541248ACAF72CC4E7D:0x401AF0
features:
- and:
- api: CryptImportKey
- number: 0x4C = SimpleBlobRC4KeyTemplate size
- bytes: 01 02 00 00 01 68 00 00 00 A4 00 00 = SimpleBlobRC4KeyTemplate header
- number: 0x134 = PrivateKeyWithExponentOfOne size
- bytes: 07 02 00 00 00 A4 00 00 52 53 41 32 00 02 00 00 01 00 00 00 AB EF FA C6 7D E8 DE FB 68 38 09 92 D9 42 7E 6B 89 9E 21 D7 52 1C 99 3C 17 48 4E 3A 44 02 F2 FA 74 57 DA E4 D3 C0 35 67 FA 6E DF 78 4C 75 35 1C A0 74 49 E3 20 13 71 35 65 DF 12 20 F5 F5 F5 C1 ED 5C 91 36 75 B0 A9 9C 04 DB 0C 8C BF 99 75 13 7E 87 80 4B 71 94 B8 00 A0 7D B7 53 DD 20 63 EE F7 83 41 FE 16 A7 6E DF 21 7D 76 C0 85 D5 65 7F 00 23 57 45 52 02 9D EA 69 AC 1F FD 3F 8C 4A D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 D5 AA B1 A6 03 18 92 03 AA 31 2E 48 4B 65 20 99 CD C6 0C 15 0C BF 3E FF 78 95 67 B1 74 5B 60 01 00 00 00 00 00 00 00 00 00 00 00 = PrivateKeyWithExponentOfOne
- match: contain loop # Copies RC4 key in reverse order
- optional:
- or:
- number: 1 = PROV_RSA_FULL
- api: CryptAcquireContext
- api: CryptEncrypt
last edited: 2023-11-24 10:34:28