The hypothesis is that the detection rule identifies potential Andromeda Trojan activity by monitoring the creation or termination of processes linked to its execution through msiexec.exe in suspicious directories. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Andromeda infections before they establish deeper persistence or exfiltrate data.
YARA Rule
rule andromeda_bot
{
meta:
maltype = "Andromeda bot"
author = "https://github.com/reed1713"
description = "IOC looks for the creation or termination of a process associated with the Andromeda Trojan. The malware will execute the msiexec.exe within the suspicious directory. Shortly after, it creates and injects itself into the wuauctl.exe (windows update) process. It then attempts to beacon to its C2."
strings:
$type="Microsoft-Windows-Security-Auditing"
$eventid="4688"
$data="AppData\\Local\\Temp\\_.net_\\msiexec.exe"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using msiexec.exe to install a legitimate software update in the C:\Windows\Temp directory as part of a scheduled maintenance task.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the command line includes a known legitimate MSI file.
Scenario: A developer is running msiexec.exe in a build environment to deploy a custom application to a shared directory, such as C:\BuildArtifacts.
Filter/Exclusion: Exclude processes where the user account is a developer or service account, and the command line includes a known internal MSI package.
Scenario: A system update or patching tool (e.g., Microsoft Endpoint Configuration Manager) is executing msiexec.exe in a temporary directory to install a security patch.
Filter/Exclusion: Exclude processes where the command line includes a known patch or update MSI file, and the parent process is a known patching tool.
Scenario: A scheduled job (e.g., Task Scheduler) is configured to run a script that uses msiexec.exe to install a configuration tool in a temporary directory.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the command line includes a known internal or third-party configuration MSI.
Scenario: A security tool or endpoint protection software (e.g., Microsoft Defender or CrowdStrike) is using msiexec.exe to deploy an update or configuration change in a system directory.
Filter/Exclusion: Exclude processes where the parent process is a known security tool and the command line includes a known update or configuration MSI.