sensual woman

Hunt Hypothesis

The “sensual woman” rule detects potential adversary behavior involving the use of crafted payloads or obfuscated code that mimics benign or socially engineered content to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activities that leverage social engineering tactics to compromise endpoints.

YARA Rule

rule sensual_woman: chinese android
{
  meta:
		author = "https://twitter.com/plutec_net"
		reference = "https://koodous.com/"
	condition:
		androguard.package_name(/com.phone.gzlok.live/)
		or androguard.package_name(/com.yongrun.app.sxmn/)
		or androguard.package_name(/com.wnm.zycs/)
		or androguard.package_name(/com.charile.chen/i)
		or androguard.package_name(/com.sp.meise/i)
		or androguard.package_name(/com.legame.wfxk.wjyg/)
		or androguard.package_name(/com.video.uiA/i)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: User is viewing a legitimate marketing email with a sensual image
  Filter/Exclusion: process.name != "msedge.exe" || process.name != "chrome.exe" (if the email client is known to open images in-browser)
  Note: This could occur when a user opens a marketing email containing an image that is flagged by the YARA rule due to its content.

• Scenario: System is running a scheduled backup job that includes a file with similar text
  Filter/Exclusion: process.name == "wbadmin.exe" || process.name == "vssadmin.exe"
  Note: Backup tools may process or archive files that contain text matching the rule, especially if the file is part of a document or log.

• Scenario: Admin is reviewing a legitimate training video or presentation
  Filter/Exclusion: process.name == "powershell.exe" && command_line contains "Invoke-WebRequest"
  Note: An admin might be downloading or reviewing a training resource that includes content matching the rule, such as a slide deck or video.

• Scenario: A legitimate application is using a file with similar content for internal processing
  Filter/Exclusion: process.name == "notepad.exe" || process.name == "word.exe"
  Note: A document or script being edited in a word processor may contain text that triggers the rule, but is part of normal business operations.

• Scenario: A user is testing a YARA rule or using a sandbox environment
  Filter/Exclusion: process.name == "sandboxie.exe" || process.name == "vmtoolsd.exe"
  Note: Testing or analysis in a sandbox may involve files that match the rule but are not malicious.