SandroRat is leveraging stealthy lateral movement techniques to establish persistent access within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise and data exfiltration risks.
YARA Rule
rule SandroRat
{
meta:
author = "Jacob Soo Lead Re"
date = "21-May-2016"
description = "This rule detects SandroRat"
source = "https://blogs.mcafee.com/mcafee-labs/sandrorat-android-rat-targeting-polish-banking-users-via-e-mail-phishing/"
condition:
androguard.activity(/net.droidjack.server/i)
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using PowerShell to run a legitimate script for system maintenance.
Filter/Exclusion: process.name != "powershell.exe" or process.name contains "maintenance"
Scenario: A scheduled job is configured to run Task Scheduler to perform routine backups using a script that mimics SandroRat behavior.
Filter/Exclusion: process.name contains "schtasks.exe" or process.parent.name contains "task scheduler"
Scenario: A security tool like Windows Defender or Microsoft Defender ATP is performing a scan and generates network traffic that matches the rule’s signature.
Filter/Exclusion: process.name contains "WindowsDefender" or process.name contains "mpsvc.exe"
Scenario: An IT administrator is using PsExec to remotely execute a command on a server for patching or configuration changes.
Filter/Exclusion: process.name contains "psexec.exe" or process.parent.name contains "cmd.exe"
Scenario: A legitimate application like SQL Server Agent is executing a job that includes network communication resembling SandroRat activity.
Filter/Exclusion: process.name contains "sqlservr.exe" or process.name contains "sqlagent.exe"