This rule try to detect Dendroid

Hunt Hypothesis

The hypothesis is that the rule detects potential Dendroid malware activity through suspicious process execution patterns indicative of adversarial behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Dendroid infections before they escalate.

YARA Rule

rule Android_Dendroid
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "19-May-2016"
		description = "This rule try to detect Dendroid"
		source = "https://blog.lookout.com/blog/2014/03/06/dendroid/"

	condition:
		androguard.service(/com.connect/i) and
        androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running via Task Scheduler to perform system maintenance (e.g., disk cleanup, log rotation).
  Filter/Exclusion: Check for Task Scheduler or schtasks.exe in the process tree, or filter by process name schtasks.exe.

• Scenario: Admin Performing User Management via PowerShell
  Description: An administrator is using PowerShell to bulk modify user accounts or permissions (e.g., using Set-ADUser or net user).
  Filter/Exclusion: Filter by process name powershell.exe and check for known admin scripts or command-line arguments related to user management.

• Scenario: Database Backup Job Execution
  Description: A database backup job is running via SQL Server Agent or a scheduled task, which may involve file system activity that resembles malicious behavior.
  Filter/Exclusion: Check for sqlservr.exe or sqlagent.exe in the process tree, or filter by file paths common to database backups (e.g., C:\Program Files\Microsoft SQL Server\).

• Scenario: Software Update Deployment via Group Policy
  Description: A Group Policy update is being deployed, which may trigger file modifications or registry changes that could be flagged by the rule.
  Filter/Exclusion: Filter by process name gpupdate.exe or check for Group Policy related processes in the process tree.

• Scenario: Log File Rotation by Log Management Tool
  Description: A log management tool (e.g., Splunk, ELK Stack, or Windows Event Log) is rotating or archiving log files, which may involve file system activity similar to Dendroid behavior.
  Filter/Exclusion: Check for process names like splunkd.exe, logrotate.exe, or `eventvwr.exe