android meterpreter

Hunt Hypothesis

The detection rule identifies potential Android Meterpreter payloads embedded in files, which could indicate the presence of a compromised device or remote code execution capability. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage adversarial activity and prevent further exploitation within their environment.

YARA Rule

rule android_meterpreter : android
{
    meta:
        author="73mp74710n"
        ref = "https://github.com/zombieleet/yara-rules/blob/master/android_metasploit.yar"
        comment="Metasploit Android Meterpreter Payload"
        
    strings:
	$checkPK = "META-INF/PK"
	$checkHp = "[Hp^"
	$checkSdeEncode = /;.Sk/
	$stopEval = "eval"
	$stopBase64 = "base64_decode"
	
    condition:
	any of ($check*) or any of ($stop*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Android Meterpreter used by Red Team for Penetration Testing
  Filter/Exclusion: Check for presence of red team tools like Cobalt Strike or Metasploit in the environment, and exclude processes initiated from known red team IP ranges or user accounts.

• Scenario: Scheduled Job Running Meterpreter Payload
  Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe) and verify if the payload is part of a legitimate automation or security testing framework.

• Scenario: System Admin Using Meterpreter for Debugging or Troubleshooting
  Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., Administrator, root) and check for presence of legitimate debugging tools like adb or adb shell.

• Scenario: Mobile Device Management (MDM) Tool Deploying Meterpreter for Patching
  Filter/Exclusion: Exclude processes associated with MDM tools (e.g., Microsoft Intune, VMware Workspace ONE) and verify if the payload is part of a known patching or configuration management process.

• Scenario: Meterpreter Used in a Legitimate Security Assessment Tool
  Filter/Exclusion: Exclude processes that originate from security assessment tools (e.g., Rapid7’s Metasploit, Qualys, or Tenable) and verify the presence of associated security tooling in the environment.