Elex Installer

Hunt Hypothesis

The Elex Installer rule detects potential adversary behavior involving the execution of suspicious installer files that may be used to deploy malware or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could evade traditional detection methods.

YARA Rule

rule Trj_Elex_Installer 
{

    meta:
        author = "Centro Criptológico Nacional (CCN)"
        description = "Elex Installer"
        ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
        
    strings:
        $mz = { 4d 5a }
        $str1 = {65 00 76 00 65 00 72 00 79 00 74 00 68 00 69 00 6e 00 67 00}
        $str2 = "IsWow64Process"
        $str3 = "SSFK"
        
    condition:
        ($mz at 0) and ($str1) and ($str2) and ($str3)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Update via Windows Server Update Services (WSUS)
  Description: A legitimate scheduled task runs the Elex Installer as part of a Windows update process managed by WSUS.
  Filter/Exclusion: Check the CommandLine field for presence of wsus or update, or filter by the source IP of the WSUS server.

• Scenario: Patch Management Tool Deployment (e.g., Microsoft Endpoint Configuration Manager)
  Description: The Elex Installer is used by a patch management tool to deploy updates across the enterprise.
  Filter/Exclusion: Include the ProcessName or ProcessGuid of the patch management tool (e.g., ConfigMgr.exe), or check the User field for known patching service accounts.

• Scenario: Automated Backup Job Using Elex Installer
  Description: A backup tool or script uses the Elex Installer to prepare the system for backup, such as cleaning up temporary files.
  Filter/Exclusion: Filter by the ProcessName of the backup tool (e.g., Veeam.exe, Veritas.exe) or check the Commandline for backup-related keywords.

• Scenario: System Maintenance Task (e.g., DISM or SCCM Maintenance)
  Description: The Elex Installer is invoked as part of a system maintenance task, such as DISM or SCCM maintenance operations.
  Filter/Exclusion: Check the Commandline for keywords like DISM, SCCM, or maintenance, or filter by the User field for system maintenance accounts.

• Scenario: User-Initiated Software Installation (e.g., IT Helpdesk Tool)
  Description: A user installs software using an IT helpdesk tool that triggers the Elex Installer as part of the installation process.
  Filter/Exclusion: Filter by