The DCP Des Init rule detects potential initial access attempts leveraging deprecated or insecure communication protocols, which may indicate an adversary testing or exploiting outdated infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into more severe breaches.
YARA Rule
rule DCP_DES_Init {
meta:
author = "_pusher_"
description = "Look for DCP Des Init"
date = "2016-02"
strings:
$c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 FE F9 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 5C 85 F6 75 25 8D 43 38 33 C9 BA 08 00 00 00 E8 F3 A9 FA FF 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 6C 8B C3 8B 10 FF 52 48 EB 16 8D 53 38 8B C6 B9 08 00 00 00 E8 6E A7 FA FF 8B C3 8B 10 FF 52 48 5F 5E 5B 59 5D C2 04 00 }
$c1 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 EE D4 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 74 85 F6 75 2B 8D 43 40 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 8D 4B 40 8D 53 40 8B C3 8B 30 FF 96 84 00 00 00 8B C3 8B 10 FF 52 58 EB 16 8D 53 40 8B C6 B9 08 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 58 5F 5E 5B 59 5D C2 04 00 }
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform routine system diagnostics or configuration checks.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes -Command with diagnostic or configuration-related scripts.
Scenario: A scheduled job runs to update or maintain DCP (Data Collection Point) configurations in a Microsoft System Center environment.
Filter/Exclusion: Exclude events where the process is associated with a known scheduled task (e.g., Task Scheduler) and the job name matches a known maintenance task.
Scenario: A network monitoring tool like SolarWinds Network Performance Monitor (NPM) initiates a diagnostic check that temporarily interacts with DCP services.
Filter/Exclusion: Exclude events where the source process is associated with SolarWinds or similar monitoring tools, and the event occurs during a scheduled diagnostic window.
Scenario: An IT support tool such as Microsoft Endpoint Manager (MEM) performs a remote troubleshooting action that includes DCP-related operations.
Filter/Exclusion: Exclude events where the process is associated with Microsoft Endpoint Manager or similar tools, and the action is part of a known remote support procedure.
Scenario: A backup or replication job using Veeam Backup & Replication interacts with DCP services during data synchronization.
Filter/Exclusion: Exclude events where the process is associated with Veeam or similar backup tools, and the event occurs during a scheduled backup or replication window.