Applications with Installer as an application name

Hunt Hypothesis

Applications with “Installer” in their name may indicate malicious software attempting to disguise its purpose. SOC teams should proactively hunt for such entries in Azure Sentinel to identify potential adversarial tactics that evade traditional detection methods.

YARA Rule

rule Installer: banker android
{
	meta:
		author = "https://twitter.com/plutec_net"
		reference = "https://koodous.com/"
		description = "Applications with Installer as an application name"

	condition:
		androguard.package_name("Jk7H.PwcD")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: A system update or patching tool named “Installer” is being executed as part of a scheduled maintenance task.
  Filter/Exclusion: Check for the presence of known patching tools (e.g., Windows Update, WSUS, Chocolatey, Ansible) in the process name or command line arguments.

• Scenario: A legitimate application installer (e.g., Setup.exe or Install.exe) is being run by an administrator to deploy software to multiple endpoints.
  Filter/Exclusion: Include a filter for known legitimate installers (e.g., Setup.exe, Install.exe) and check for the presence of a known deployment tool (e.g., PDQ Deploy, SCCM, Chocolatey).

• Scenario: A scheduled job runs a script that temporarily names a process “Installer” during a deployment or configuration task.
  Filter/Exclusion: Filter based on the command line arguments or parent process (e.g., powershell.exe, task scheduler, or schtasks.exe) to identify legitimate automation tasks.

• Scenario: A system management tool (e.g., SCOM, System Center, or Powershell) uses the term “Installer” in its script or configuration file.
  Filter/Exclusion: Exclude processes or commands associated with system management tools and check for known configuration or script execution patterns.

• Scenario: A user manually runs an installer for a legitimate application (e.g., Adobe Installer, Java Installer) as part of a software installation.
  Filter/Exclusion: Filter by the application name or vendor (e.g., Adobe, Oracle, Microsoft) and check for known legitimate installer files.