The hypothesis is that an adversary is using the Droidian service to exfiltrate Dendroid evidence, indicating potential data theft or reconnaissance activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threat activity that may lead to more severe compromises.
YARA Rule
rule Dendroid_2 : android
{
meta:
author = "https://twitter.com/jsmesa"
reference = "https://koodous.com/"
description = "Dendroid evidences via Droidian service"
strings:
$a = "Droidian"
$b = "DroidianService"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by the Veeam service account or with command-line arguments containing veeam or backup.
Scenario: Administrative task to update Microsoft Endpoint Manager (Intune) configurations
Filter/Exclusion: Exclude processes with parent process ID matching the Microsoft Intune Management Extension or command-line arguments containing intune or update.
Scenario: Routine log collection using Splunk Universal Forwarder
Filter/Exclusion: Exclude processes with the Splunk service account or command-line arguments containing splunk or forwarder.
Scenario: Patch deployment via Microsoft System Center Configuration Manager (SCCM)
Filter/Exclusion: Exclude processes with parent process ID matching SCCM services or command-line arguments containing sccm, patch, or deploy.
Scenario: Automated script execution for Docker container management
Filter/Exclusion: Exclude processes with command-line arguments containing docker, run, or compose, or initiated by the root user in a containerized environment.