This rule will be able to tag all the samples with local exploits.

Hunt Hypothesis

Adversaries may use local exploit samples to gain initial access or escalate privileges within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and prevent lateral movement.

YARA Rule

rule Android_Godlike
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "01-July-2016"
		description = "This rule will be able to tag all the samples with local exploits."
		source = "http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/"

	strings:
		$a = "libgodlikelib.so"
	condition:
		(androguard.service(/godlike\.s/i) and
		androguard.service(/godlike\.g/i) and
        androguard.receiver(/godlike\.e/i)) or
		$a
		}

rule Android_Godlike_2
{
	meta:
		author = "Jacob Soo Lead Re"
		date = "01-July-2016"
		description = "This rule will be able to tag all the samples with remote exploits."
		source = "http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/"

	strings:
		$a_1 = "libroot.so"
		$a_2 = "silent91_arm_bin.root"
		$a_3 = "libr.so"
		$a_4 = "libpl_droidsonroids_gif.so"
	condition:
		(androguard.service(/FastInstallService/i) and
		androguard.service(/DownloadService/i)) and 
		any of ($a_*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is performing a scheduled maintenance task using PowerShell to update system configurations.
  Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes Update-Configuration or similar administrative scripts.

• Scenario: A Windows Task Scheduler job is running a legitimate script to back up user profiles.
  Filter/Exclusion: Exclude events where the process is initiated by the Task Scheduler service (svchost.exe or taskschd.exe) and the script path is known backup scripts located in the system’s backup directory.

• Scenario: A remote desktop session is being used to perform a local exploit on a machine, but the user is an authorized admin.
  Filter/Exclusion: Exclude events where the user is a member of the Administrators group and the session is initiated via RDP with a known admin account.

• Scenario: A Windows Update installation is triggering a local privilege escalation due to a known vulnerability.
  Filter/Exclusion: Exclude events where the process is wuauclt.exe (Windows Update) and the event occurs during a scheduled update window.

• Scenario: A system integrity check tool like Sysinternals Process Explorer is being used to analyze processes, which may trigger local exploit detection.
  Filter/Exclusion: Exclude events where the process name is procexp.exe or Process Explorer.exe and the user is a known security analyst or admin.