Koler.A builds

Hunt Hypothesis

Koler.A builds may indicate the adversary is establishing a foothold by compiling malicious code within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and prevent further lateral movement.

YARA Rule

rule koler_builds : android
{
	meta:
		author = "https://twitter.com/jsmesa"
		reference = "https://koodous.com/"
		description = "Koler.A builds"

	strings:
		$0 = "buildid"
		$a = "DCEF055EEE3F76CABB27B3BD7233F6E3"
		$b = "C143D55D996634D1B761709372042474"
		
	condition:
		$0 and ($a or $b)
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled build job using Jenkins or GitLab CI/CD
  Filter/Exclusion: Check for job_name or pipeline_id in the event data to exclude known CI/CD pipelines.

• Scenario: Docker image build using Docker CLI or Docker Desktop
  Filter/Exclusion: Filter out events containing docker build or docker-compose build in the command line.

• Scenario: System update or patching using Ansible or Chef
  Filter/Exclusion: Exclude events with ansible-playbook or chef-client in the command line or process name.

• Scenario: Backup job execution using Veeam or Commvault
  Filter/Exclusion: Filter events with Veeam Backup or Commvault Backup in the process name or command line.

• Scenario: Development environment build using Maven or Gradle
  Filter/Exclusion: Exclude events with mvn build or gradle build in the command line or process name.