This is just an example

Hunt Hypothesis

Adversaries may be using low-privilege accounts to move laterally within the network, which could indicate initial compromise or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term threats before they escalate.

YARA Rule

rule sms_fraud_gen : generic android
{
		meta:
		author = "Fernando Denis https://twitter.com/fdrg21"
		reference = "https://koodous.com/"
		description = "This is just an example"
		thread_level = 3
		in_the_wild = true

	strings:
		$a = "080229013346Z"
		$c = "350717013346Z0"
		$b = "NUMBER_CHAR_EXP_SIGN"

	condition:
		$a and $b and $c and
		androguard.permission(/android.permission.SEND_SMS/)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled backup of user profiles.
  Filter/Exclusion: process.parent_process != "powershell.exe" OR process.parent_process_path != "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"

• Scenario: A Windows Task Scheduler job is running a legitimate script to update software inventory.
  Filter/Exclusion: process.parent_process == "schtasks.exe" OR process.parent_process_path == "C:\\Windows\\System32\\schtasks.exe"

• Scenario: A Microsoft SQL Server Agent job is executing a maintenance script that temporarily increases process memory usage.
  Filter/Exclusion: process.parent_process == "sqlagent.exe" OR process.parent_process_path == "C:\\Program Files\\Microsoft SQL Server\\MSSQL15.MSSQLSERVER\\MSSQL\\Binn\\sqlagent.exe"

• Scenario: A Windows Update process is running in the background to install critical patches.
  Filter/Exclusion: process.name == "wuauserv.exe" OR process.name == "svchost.exe" AND process.parent_process == "services.exe"

• Scenario: A Docker container is running a legitimate application that uses elevated privileges for configuration.
  Filter/Exclusion: process.parent_process == "docker.exe" OR process.parent_process_path == "C:\\Program Files\\Docker\\docker.exe"