Koler.D class

Hunt Hypothesis

The Koler.D class detection rule identifies potential adversary behavior involving suspicious file execution and network communication patterns commonly associated with low-privilege persistence and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage threat activity that could lead to deeper network compromise.

YARA Rule

rule koler_D : android
{
	meta:
		author = "https://twitter.com/jsmesa"
		reference = "https://koodous.com/"
		description = "Koler.D class"

	strings:
		$0 = "ZActivity"
		$a = "Lcom/android/zics/ZRuntimeInterface"
		
	condition:
		($0 and $a)
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using Veeam Backup & Replication
  Filter/Exclusion: process.name != "vbm" AND process.name != "vagent"

• Scenario: Windows Update installation via Group Policy or Windows Server Update Services (WSUS)
  Filter/Exclusion: process.name != "wusa.exe" AND process.name != "msiexec.exe"

• Scenario: Database maintenance task using SQL Server Agent job
  Filter/Exclusion: process.name != "sqlservr.exe" AND process.name != "sqlagent.exe"

• Scenario: Log file rotation using Logrotate on Linux systems
  Filter/Exclusion: process.name != "logrotate" AND process.name != "rsyslogd"

• Scenario: Antivirus scan initiated by Windows Defender or third-party tool like Bitdefender
  Filter/Exclusion: process.name != "MsMpEng.exe" AND process.name != "bdagent.exe"