Dipsind variant

Hunt Hypothesis

The Dipsind variant is likely being used by adversaries to establish persistence and exfiltrate data through compromised Azure resources. SOC teams should proactively hunt for this behavior to identify and mitigate potential long-term access and data theft in their Azure Sentinel environment.

YARA Rule

rule Trojan_Win32_Plagon
{
   
    meta:
        author = "Microsoft"
        description = "Dipsind variant"
        original_sample_sha1 = "48b89f61d58b57dba6a0ca857bce97bab636af65"
        unpacked_sample_sha1 = "6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = "VPLRXZHTU"
        $str2 = {64 6F 67 32 6A 7E 6C}
        $str3 = "Dqpqftk(Wou\"Isztk)"
        $str4 = "StartThreadAtWinLogon"
        condition:
        $str1 and $str2 and $str3 and $str4
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: Check for process.name containing “Veeam” or process.parent.name containing “VeeamBackupService”
  Rationale: Legitimate backup processes may exhibit similar behavior to malicious activity.

• Scenario: Windows Task Scheduler running a routine maintenance job
  Filter/Exclusion: Filter by process.name containing “schtasks” or process.parent.name containing “Task Scheduler”
  Rationale: Scheduled tasks can execute scripts or binaries that may trigger the rule.

• Scenario: Microsoft SQL Server Agent Job performing database maintenance
  Filter/Exclusion: Check for process.name containing “sqlservr” or process.parent.name containing “SQLAgent”
  Rationale: SQL Server jobs often execute scripts or binaries that may be flagged by the rule.

• Scenario: Ansible playbook execution for configuration management
  Filter/Exclusion: Filter by process.name containing “ansible” or process.parent.name containing “ansible-playbook”
  Rationale: Ansible scripts may execute commands that resemble malicious behavior.

• Scenario: PowerShell script running as part of a Windows Update or Group Policy deployment
  Filter/Exclusion: Check for process.name containing “powershell.exe” and process.parent.name containing “svchost.exe” or “taskeng.exe”
  Rationale: PowerShell scripts used in system updates or policy changes may trigger the rule.