Installer for Dipsind variant

Hunt Hypothesis

The detection identifies potential deployment of a Dipsind variant installer, which may indicate initial compromise or lateral movement. SOC teams should proactively hunt for this behavior to identify early-stage adversarial activity and prevent further exploitation in their Azure Sentinel environment.

YARA Rule

rule Trojan_Win32_Placisc4 
{

    meta:
        author = "Microsoft"
        description = "Installer for Dipsind variant"
        original_sample_sha1 = "3d17828632e8ff1560f6094703ece5433bc69586"
        unpacked_sample_sha1 = "2abb8e1e9cac24be474e4955c63108ff86d1a034"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"
    
    strings:
        $str1 = {8D 71 01 8B C6 99 BB 0A 00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04 39 84 C0 74 0A}
        $str2 = {6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5}
        $str3 = {C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ?? 6A}
    
    condition:
        $str1 and $str2 and $str3
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update via Microsoft Update
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe or msiexec.exe with CommandLine containing /i or /update
  Rationale: Legitimate system updates may trigger similar installer behavior.

• Scenario: Scheduled maintenance task using PowerShell
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and CommandLine containing Start-Process or Invoke-Command with known maintenance scripts
  Rationale: Scheduled maintenance scripts may execute installers or similar processes.

• Scenario: Admin deploying software via Group Policy
  Filter/Exclusion: Check for ProcessName containing gpupdate.exe or msiexec.exe with CommandLine containing /package and Deployment in the command line
  Rationale: Group Policy software deployment can trigger installer-like activity.

• Scenario: User installing a legitimate application (e.g., Adobe Acrobat)
  Filter/Exclusion: Filter by ProcessName containing msiexec.exe and CommandLine containing the known installer package name (e.g., AdobeAcrobatReaderDC.msi)
  Rationale: Legitimate software installers may match the detection logic.

• Scenario: Antivirus or endpoint protection tool performing a scan
  Filter/Exclusion: Check for ProcessName containing mpsvc.exe, mcafee.exe, or avgnt.exe and CommandLine containing scan or update
  Rationale: Security tools may execute processes that resemble malicious installers.