Installer component

Hunt Hypothesis

The Installer component rule detects potential adversary behavior involving the use of malicious installer files to execute payloads or establish persistence within a system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.

YARA Rule

rule Trojan_Win32_Plagicom
{

    meta:
        author = "Microsoft"
        description = "Installer component"
        original_sample_sha1 = "99dcb148b053f4cef6df5fa1ec5d33971a58bd1e"
        unpacked_sample_sha1 = "c1c950bc6a2ad67488e675da4dfc8916831239a7"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24 ?? 00}
        $str2 = "OUEMM/EMM"
        $str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3}

    condition:
        $str1 and $str2 and $str3
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A legitimate system update using Windows Update or Microsoft Endpoint Manager (MEM) installs a component that matches the rule’s signature.
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe, setup.exe (from Microsoft), or msiexec.exe with known update packages.

• Scenario: An administrative task such as configuring Group Policy Objects (GPOs) or deploying Microsoft Intune policies triggers the rule due to the use of installer components.
  Filter/Exclusion: Filter by User field to include only administrators or use ProcessName containing gpupdate.exe or intunewin.exe.

• Scenario: A scheduled job runs a legitimate installer, such as Chocolatey or WSL (Windows Subsystem for Linux), which may trigger the rule.
  Filter/Exclusion: Use ProcessName like choco.exe or wsl.exe, or check the CommandLine for known package managers.

• Scenario: A third-party application like 7-Zip or WinRAR is used to extract files, which may be flagged due to the use of installer components.
  Filter/Exclusion: Filter by ProcessName containing 7z.exe, rar.exe, or unzip.exe, or check the CommandLine for known archive extraction commands.

• Scenario: A software deployment tool like Microsoft Endpoint Configuration Manager (MECM) or SCCM installs software components that match the rule.
  Filter/Exclusion: Use ProcessName like ccmexec.exe, mpsmaint.exe, or setup.exe with known deployment package names.