The detection identifies potential adversary use of the Dendroid malware leveraging the ServiceReceiver component to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and prevent lateral movement within the environment.
YARA Rule
rule Dendroid_3 : android
{
meta:
author = "https://twitter.com/jsmesa"
reference = "https://koodous.com/"
description = "Dendroid evidences via ServiceReceiver"
strings:
$1 = "ServiceReceiver"
$2 = "Dendroid"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled system maintenance using Windows Task Scheduler
Filter/Exclusion: Exclude events where the process is schtasks.exe or Task Scheduler related activities.
Scenario: Logon and logoff events during normal user authentication
Filter/Exclusion: Exclude events with event ID 4624 (successful logon) or 4625 (failed logon) from known user accounts.
Scenario: System updates or patches deployed via Microsoft Endpoint Manager (Intune)
Filter/Exclusion: Exclude processes associated with mpcmdrun.exe or msiexec.exe during update windows.
Scenario: Administrative tools like Group Policy Management Console (GPMC) or PowerShell remoting
Filter/Exclusion: Exclude processes initiated from known administrative tools or with elevated privileges (e.g., powershell.exe with -Command or -File parameters).
Scenario: Database backups executed by SQL Server Agent Jobs
Filter/Exclusion: Exclude events where the process is sqlservr.exe or sqlagent.exe and associated with known backup schedules.