The rule detects potential reconnaissance activities associated with the Dogspectus adversary, such as unusual network traffic patterns or unauthorized access attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate into full-scale breaches.
YARA Rule
rule Android_Dogspectus
{
meta:
author = "Jacob Soo Lead Re"
date = "20-July-2016"
description = "This rule try to detects Dogspectus"
source = "https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware"
condition:
androguard.activity(/PanickedActivity/i) and
androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i) and
androguard.permission(/android.permission.INTERNET/i) and
androguard.permission(/android.permission.WAKE_LOCK/i)
}This YARA rule can be deployed in the following contexts:
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes related to veeambackup.exe or check for the presence of Veeam in the process name.
Scenario: Regular Windows Update or Group Policy synchronization task
Filter/Exclusion: Exclude processes with svchost.exe or check for the presence of Windows Update or Group Policy in the process name.
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: Exclude processes with ansible in the command line or check for the presence of ansible in the process name.
Scenario: Logrotate job running on Linux servers to manage log files
Filter/Exclusion: Exclude processes with logrotate in the command line or check for the presence of logrotate in the process name.
Scenario: SQL Server Agent job executing maintenance tasks
Filter/Exclusion: Exclude processes with sqlservr.exe or check for the presence of SQL Server Agent in the process name.