Adversaries may use SipHash constants in big-endian format as part of obfuscation or cryptographic manipulation to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential cryptographic attacks or data tampering attempts that may not trigger traditional alerts.
YARA Rule
rule SipHash_big_endian_constants {
meta:
author = "spelissier"
description = "Look for SipHash constants in big endian"
date = "2020-07"
reference = "https://131002.net/siphash/siphash.pdf#page=6"
strings:
$c0 = "uespemos"
$c1 = "modnarod"
$c2 = "arenegyl"
$c3 = "setybdet"
condition:
2 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: SipHash constants are used in legitimate cryptographic libraries or tools during development or testing.
Filter/Exclusion: Exclude traffic involving known cryptographic libraries (e.g., libcrypto, OpenSSL, libsodium) by checking the process name or command line arguments.
Scenario: A system administrator runs a script that generates SipHash constants for internal use (e.g., for custom hashing in a local application).
Filter/Exclusion: Exclude processes associated with administrative tasks by checking the user context (e.g., root, admin) or specific command-line tools like bash, python, or script.sh.
Scenario: A scheduled job runs a data integrity check using SipHash for hashing files or logs.
Filter/Exclusion: Exclude processes related to scheduled jobs by checking the process name or using a timestamp filter for jobs that run at specific intervals (e.g., cron, systemd-timer, daily_backup.sh).
Scenario: A developer is using a tool like Wireshark or tcpdump to analyze network traffic and manually inspects SipHash constants for debugging.
Filter/Exclusion: Exclude traffic from known packet analysis tools by checking the process name or user (e.g., wireshark, tcpdump, root).
Scenario: A cloud provider or infrastructure-as-code tool (e.g., Terraform, Ansible) generates temporary SipHash values during configuration or deployment.
Filter/Exclusion: Exclude processes associated with configuration management tools by checking the command line or process name (e.g., terraform, ansible, kops, cloud-init).