This rule detects apps made with metasploit framework

Hunt Hypothesis

Apps compiled using the Metasploit framework may indicate the presence of malicious payloads or exploit code, as Metasploit is commonly used by attackers to develop and deploy exploit-based malware. SOC teams should proactively hunt for such activity in Azure Sentinel to identify potential compromise or reconnaissance efforts early in the attack lifecycle.

YARA Rule

rule android_metasploit : android
{
	meta:
		author = "https://twitter.com/plutec_net"
		description = "This rule detects apps made with metasploit framework"
		sample = "cb9a217032620c63b85a58dde0f9493f69e4bda1e12b180047407c15ee491b41"

	strings:
		$a = "*Lcom/metasploit/stage/PayloadTrustManager;"
		$b = "(com.metasploit.stage.PayloadTrustManager"
		$c = "Lcom/metasploit/stage/Payload$1;"
		$d = "Lcom/metasploit/stage/Payload;"

	condition:
		all of them
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Metasploit to perform a penetration test on a staging environment.
  Filter/Exclusion: Check for presence of a staging environment tag in the system metadata or filter by IP address range reserved for internal testing.

• Scenario: A scheduled job runs Metasploit-based scripts to automate security assessments during off-peak hours.
  Filter/Exclusion: Exclude processes that match the scheduled job name or run time (e.g., between 2:00 AM and 4:00 AM).

• Scenario: A developer is using Metasploit to reverse-engineer a malicious payload for analysis in a sandboxed environment.
  Filter/Exclusion: Filter by sandbox IP address or user account (e.g., sandbox_user) associated with the analysis environment.

• Scenario: A CI/CD pipeline includes a Metasploit-based test to validate security controls in a development environment.
  Filter/Exclusion: Exclude processes initiated by the CI/CD agent or filter by job name containing “security-test” or “pentest”.

• Scenario: An IT support team uses Metasploit to simulate a phishing attack for training purposes.
  Filter/Exclusion: Filter by user group (e.g., training-team) or specific command-line arguments indicating a training scenario.