Detection of dendroid trojan

Hunt Hypothesis

The detection identifies potential dendroid trojan activity through unusual process creation or network behavior indicative of malicious payload execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.

YARA Rule

rule Trojan_Dendroid
{
meta:
author = "https://www.twitter.com/SadFud75"
description = "Detection of dendroid trojan"
strings:
$s1 = "/upload-pictures.php?"
$s2 = "/get-functions.php?"
$s3 = "/new-upload.php?"
$s4 = "/message.php?"
$s5 = "/get.php?"
condition:
3 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that runs dendroid.exe as part of a routine cleanup or patching process.
  Filter/Exclusion: Check for process.parent_process containing taskhost.exe or schtasks.exe, or filter by process.command_line containing /C or /SC.

• Scenario: Admin Using Dendroid for Debugging Purposes
  Description: A system administrator is using a tool named dendroid.exe (which may be a renamed or custom tool) for debugging or testing network traffic.
  Filter/Exclusion: Filter by process.user to include only admin accounts, or check for process.command_line containing known debugging flags or arguments.

• Scenario: Legitimate Network Monitoring Tool
  Description: A network monitoring or packet capture tool (e.g., Wireshark, tcpdump) is using a process named dendroid.exe as part of its operation.
  Filter/Exclusion: Check for process.parent_process containing wireshark.exe or tcpdump, or filter by process.image matching the known legitimate tool path.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool (e.g., Microsoft Defender, CrowdStrike Falcon) is using a process named dendroid.exe as part of its scanning or heuristic analysis.
  Filter/Exclusion: Filter by process.parent_process containing mpsvc.exe, falcon.exe, or msmpeng.exe, or check for process.command_line containing known security tool arguments.

• Scenario: Custom Script or Automation Tool
  Description: A custom script or automation tool (e.g., PowerShell, Python script) is using a process named `