This rule detects tachi apps (not all malware)

Hunt Hypothesis

The rule detects potential Tachi apps, which are known to be used by adversaries for persistence and lateral movement within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that may evade traditional detection methods.

YARA Rule

rule tachi : android
{
	meta:
		author = "https://twitter.com/plutec_net"
		source = "https://analyst.koodous.com/rulesets/1332"
		description = "This rule detects tachi apps (not all malware)"
		sample = "10acdf7db989c3acf36be814df4a95f00d370fe5b5fda142f9fd94acf46149ec"

	strings:
		$a = "svcdownload"
		$xml_1 = "<config>"
		$xml_2 = "<apptitle>"
		$xml_3 = "<txinicio>"
		$xml_4 = "<txiniciotitulo>"
		$xml_5 = "<txnored>"
		$xml_6 = "<txnoredtitulo>"
		$xml_7 = "<txnoredretry>"
		$xml_8 = "<txnoredsalir>"
		$xml_9 = "<laurl>"
		$xml_10 = "<txquieresalir>"
		$xml_11 = "<txquieresalirtitulo>"
		$xml_12 = "<txquieresalirsi>"
		$xml_13 = "<txquieresalirno>"
		$xml_14 = "<txfiltro>"
		$xml_15 = "<txfiltrourl>"
		$xml_16 = "<posicion>"


	condition:
		$a and 4 of ($xml_*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 17 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Tachyon for legitimate system monitoring and performance analysis.
  Filter/Exclusion: Exclude processes where the process name is tachyon.exe and the user is a domain admin or has the Administrators group membership.

• Scenario: A scheduled job runs Tachyon to collect system metrics for a third-party monitoring tool like Datadog or New Relic.
  Filter/Exclusion: Exclude processes where the command line includes --metrics or --collect and the parent process is a known monitoring service.

• Scenario: A developer is using Tachyon for debugging or profiling a custom application.
  Filter/Exclusion: Exclude processes where the process name is tachyon.exe and the user is a developer with a known development environment setup.

• Scenario: A backup job uses Tachyon to archive logs or configuration files.
  Filter/Exclusion: Exclude processes where the command line includes --backup or --archive and the parent process is a backup service like Veeam or Commvault.

• Scenario: An IT team uses Tachyon to perform system diagnostics during routine maintenance.
  Filter/Exclusion: Exclude processes where the process name is tachyon.exe and the event log or parent process indicates a scheduled maintenance task.