Dipsind variant

Hunt Hypothesis

The Dipsind variant is likely being used by adversaries to establish persistence and exfiltrate data through compromised Azure resources. SOC teams should proactively hunt for this behavior to identify and mitigate potential long-term access and data theft in their Azure Sentinel environment.

YARA Rule

rule Trojan_Win32_Placisc3 
{

    meta:
        author = "Microsoft"
        description = "Dipsind variant"
        original_sample_sha1 = "1b542dd0dacfcd4200879221709f5fa9683cdcda"
        unpacked_sample_sha1 = "bbd4992ee3f3a3267732151636359cf94fb4575d"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF B9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00 00}
        $str2 = "VPLRXZHTU"
        $str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03}

    condition:
        $str1 and $str2 and $str3
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update or patch deployment using Microsoft Update or Windows Server Update Services (WSUS)
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe or wsuapi.exe, or filter by ParentProcessName matching known update services.

• Scenario: Scheduled backup job using Veeam Backup & Replication or Commvault
  Filter/Exclusion: Include ProcessName like veeambackup.exe or cvbackup.exe, or use CommandLine containing backup job names or paths.

• Scenario: Administrative task such as Group Policy Object (GPO) processing or Windows Task Scheduler job execution
  Filter/Exclusion: Filter by ProcessName like gupdate.exe or schtasks.exe, or check for ParentProcessName matching services.exe or taskhost.exe.

• Scenario: Log collection or monitoring tool like Splunk Universal Forwarder or Microsoft Log Analytics Agent
  Filter/Exclusion: Include ProcessName like splunkforwarder.exe or logagent.exe, or use CommandLine containing log collection paths or configurations.

• Scenario: Database maintenance task using SQL Server Agent Job or MySQL Maintenance Tool
  Filter/Exclusion: Filter by ProcessName like sqlservr.exe or mysqld.exe, or use CommandLine containing maintenance scripts or job names.