Installer component

Hunt Hypothesis

The Installer component rule detects potential adversary use of legitimate installation processes to execute malicious payloads or establish persistence within an environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.

YARA Rule

rule Trojan_Win32_Platual
{

meta:
    author = "Microsoft"
    description = "Installer component"
    original_sample_sha1 = "e0ac2ae221328313a7eee33e9be0924c46e2beb9"
    unpacked_sample_sha1 = "ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a"
    activity_group = "Platinum"
    version = "1.0"
    last_modified = "2016-04-12"

strings:
    $class_name = "AVCObfuscation"
    $scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 }

condition:
    $class_name and $scrambled_dir
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is manually installing a new software package using the msiexec command.
  Filter/Exclusion: Exclude processes where the executable is msiexec.exe and the command line includes /i (install) with a known legitimate MSI file path.

• Scenario: A scheduled job runs a script that temporarily creates an installer component (e.g., a temporary .msi file) as part of a deployment process.
  Filter/Exclusion: Exclude processes where the parent process is a known deployment tool (e.g., PDQDeploy.exe, Chocolatey.exe) or where the file path contains a temporary directory (e.g., C:\Temp\).

• Scenario: A user is running a legitimate installer (e.g., setup.exe from a software update) as part of a regular maintenance task.
  Filter/Exclusion: Exclude processes where the executable is a known legitimate installer (e.g., setup.exe, install.exe) and the process is initiated by a user with standard privileges.

• Scenario: A system update or patching tool (e.g., Windows Update, SCCM) creates temporary installer components during the update process.
  Filter/Exclusion: Exclude processes where the parent process is a known patching tool (e.g., wusa.exe, ccmexec.exe) or where the file path contains a system update directory (e.g., C:\Windows\Temp\).

• Scenario: A third-party application (e.g., Adobe Acrobat) uses an installer component as part of its installation or configuration process.
  Filter/Exclusion: Exclude processes where the executable is associated with a known third-party application and the file path matches the application’s installation directory.