The Koler.A class detection rule identifies potential adversary behavior involving suspicious network traffic patterns and unusual process execution that may indicate a low-severity, persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and prevent lateral movement within the environment.
YARA Rule
rule koler_class : android
{
meta:
author = "https://twitter.com/jsmesa"
reference = "https://koodous.com/"
description = "Koler.A class"
strings:
$0 = "FIND_VALID_DOMAIN"
$a = "6589y459"
condition:
$0 and $a
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: System update or patch deployment using Microsoft Update or WSUS
Filter/Exclusion: Exclude events related to Microsoft.Update or WSUS processes, or filter by process names like wusa.exe or wuauclt.exe.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude events where the process name is veeam.exe or filter by job names associated with Veeam backups.
Scenario: Regular log collection or monitoring using Splunk or ELK Stack
Filter/Exclusion: Exclude events from processes like splunkd.exe, logstash, or fluentd, or filter by known log collection activity patterns.
Scenario: Administrative task such as Group Policy refresh or PowerShell script execution
Filter/Exclusion: Exclude events where the process is gpupdate.exe or PowerShell scripts with known administrative tasks, using command-line arguments or script paths.
Scenario: Automated software inventory scan using Microsoft Intune or Microsoft Endpoint Manager
Filter/Exclusion: Exclude events related to intunewsm.exe or mpssvc.exe, or filter by known inventory scan activity in the system event logs.