Installer component

Hunt Hypothesis

The Installer component rule detects potential adversary use of custom installer scripts to execute malicious payloads or establish persistence within a system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.

YARA Rule

rule Trojan_Win32_Plainst
{

    meta:
        author = "Microsoft"
        description = "Installer component"
        original_sample_sha1 = "99c08d31af211a0e17f92dd312ec7ca2b9469ecb"
        unpacked_sample_sha1 = "dcb6cf7cf7c8fdfc89656a042f81136bda354ba6"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C 77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04}
        $str2 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}

    condition:
        $str1 and $str2
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system update or patch installation using Windows Update or Group Policy Preferences (GPP)
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe or gpreference.exe, or filter by ParentProcessName being services.exe or svchost.exe.

• Scenario: Scheduled job running a legitimate installer, such as Microsoft .NET Framework update or Java Runtime Environment installation
  Filter/Exclusion: Use ProcessName like dotnetfx.exe or javaws.exe, or check for CommandLine containing known update package names.

• Scenario: Admin task to install a third-party application, such as MySQL Installer or VMware Tools
  Filter/Exclusion: Filter by ProcessName matching the installer executable (e.g., mysql-installer.exe, VMwareToolsInstaller.exe) or check for User field matching a known admin account.

• Scenario: Deployment of a software package via SCCM (System Center Configuration Manager) or Microsoft Endpoint Manager
  Filter/Exclusion: Check for ParentProcessName being smsts.exe or mpssvc.exe, or filter by CommandLine containing SCCM or Intune-related strings.

• Scenario: Use of PowerShell to run an installer script, such as deploying a custom application or configuration tool
  Filter/Exclusion: Filter by ProcessName being powershell.exe and check for CommandLine containing known script paths or parameters, or use a User filter for authorized administrators.