Dendroid RAT

Hunt Hypothesis

The Dendroid RAT detection rule identifies potential adversary communication with a compromised device, leveraging unusual network behavior indicative of remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and prevent lateral movement within the environment.

YARA Rule

rule Dendroid : android
{
	meta:
	author = "https://twitter.com/jsmesa"
	reference = "https://koodous.com/"
	description = "Dendroid RAT"
	strings:
    	$s1 = "/upload-pictures.php?"
    	$s2 = "Opened Dialog:"
    	$s3 = "com/connect/MyService"
    	$s4 = "android/os/Binder"
    	$s5 = "android/app/Service"
   	condition:
    	all of them

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup job, may trigger the Dendroid RAT detection due to similar process names or behavior.
  Filter/Exclusion: Check for schtasks.exe with a known legitimate command-line arguments, e.g., schtasks /run /tn "CleanupJob".

• Scenario: Admin Performing Remote Desktop Session
  Description: An administrator using mstsc.exe (Remote Desktop Connection) to access a remote system may be flagged due to network activity or process similarities with Dendroid RAT.
  Filter/Exclusion: Filter events where the process is mstsc.exe and the user is a known admin with elevated privileges.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool like Windows Defender or Malwarebytes may trigger the Dendroid RAT rule during a full system scan due to file or process matching.
  Filter/Exclusion: Exclude processes related to Windows Defender (e.g., MsMpEng.exe) or Malwarebytes (e.g., mbam.exe).

• Scenario: PowerShell Script for Configuration Management
  Description: A PowerShell script used for configuration management (e.g., PowerShell.exe running a script to update group policies) may be flagged due to script execution patterns similar to Dendroid RAT.
  Filter/Exclusion: Filter events where the script path is known and legitimate, such as C:\Windows\System32\GroupPolicy\gpolusr.exe or scripts in the C:\Windows\System32\ directory.

• Scenario: Logon Session Initialization
  Description: A legitimate logon session initialization process, such as LogonUI.exe or