The Trojan Win32 Plabit is likely being used by adversaries to establish persistence and exfiltrate data through covert network communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise and data leakage.
YARA Rule
rule Trojan_Win32_Plabit
{
meta:
author = "Microsoft" description = "Installer component" sample_sha1 = "6d1169775a552230302131f9385135d385efd166" activity_group = "Platinum" version = "1.0"
last_modified = "2016-04-12"
strings:
$str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}
$str2 = "GetInstanceW"
$str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE}
condition:
$str1 and $str2 and $str3
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system maintenance using PowerShell scripts for log cleanup
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%Cleanup%'
Scenario: Windows Task Scheduler job running a legitimate script for backup purposes
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE '/RU SYSTEM'
Scenario: Microsoft Endpoint Configuration Manager (MECM) deploying software updates
Filter/Exclusion: process.name != "msiexec.exe" OR process.args NOT LIKE '/i'
Scenario: Windows Admin Center performing remote management tasks
Filter/Exclusion: process.name != "winrm.exe" OR process.args NOT LIKE '/config'
Scenario: Microsoft Intune deploying configuration profiles to devices
Filter/Exclusion: process.name != "intunewsm.exe" OR process.args NOT LIKE '/install'