tran duy linh

Hunt Hypothesis

The rule detects potential adversarial activity associated with the actor “tran duy linh,” which may indicate reconnaissance or initial compromise behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.

YARA Rule

rule tran_duy_linh
{
meta:
	author = "@patrickrolsen"
	maltype = "Misc."
	version = "0.2"
	reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc." 
	date = "01/03/2014"
strings:
	$doc = {D0 CF 11 E0} //DOCFILE0
	$string1 = "Tran Duy Linh" fullword
	$string2 = "DLC Corporation" fullword
condition:
    ($doc at 0) and (all of ($string*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• 8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc.
• Source Rule

False Positive Guidance

• Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication and the backup process includes a file named “tran duy linh” as part of a script or log file.
  Filter/Exclusion: Exclude files with the full path containing C:\Program Files\Veeam\ or files with the extension .log or .bat.

• Scenario: A developer is using Git to clone a repository, and the file name “tran duy linh” appears in a .gitignore file or in a commit message.
  Filter/Exclusion: Exclude files with the extension .gitignore or files in the .git directory, or filter by commit messages containing “git” or “repo”.

• Scenario: A Windows Task Scheduler job is configured to run a PowerShell script that includes the string “tran duy linh” as part of a variable or comment.
  Filter/Exclusion: Exclude files with the extension .ps1 or files located in the C:\Windows\Tasks\ directory.

• Scenario: A Docker container is running a service that generates log files with the name “tran duy linh” as part of its logging convention.
  Filter/Exclusion: Exclude files with the path containing C:\Program Files\Docker\ or files with the extension .log and a timestamp in the filename.

• Scenario: An Ansible playbook includes a task that references a file named “tran duy linh” as part of a template or inventory file.
  Filter/Exclusion: Exclude files with the extension .yml or .json, or files located in the ansible/playbooks/ directory.