fileless malware

Hunt Hypothesis

Fileless malware leverages in-memory execution and avoids traditional file-based persistence, making it difficult to detect with standard file integrity monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade conventional detection methods.

YARA Rule

rule Kovter
{ 
	meta:
		maltype = "Kovter"
    reference = "http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93-A-BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE"
		date = "9-19-2016"
		description = "fileless malware"
	strings:
		$type="Microsoft-Windows-Security-Auditing" wide ascii
		$eventid="4688" wide ascii
		$data="Windows\\System32\\regsvr32.exe" wide ascii
		
		$type1="Microsoft-Windows-Security-Auditing" wide ascii
		$eventid1="4689" wide ascii
		$data1="Windows\\System32\\mshta.exe" wide ascii
		
		$type2="Microsoft-Windows-Security-Auditing" wide ascii
		$eventid2="4689" wide ascii
		$data2="Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" wide ascii

		$type3="Microsoft-Windows-Security-Auditing" wide ascii
		$eventid3="4689" wide ascii
		$data3="Windows\\System32\\wbem\\WmiPrvSE.exe" wide ascii


	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 12 string patterns in its detection logic.

References

• http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93-A-BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE
• Source Rule

False Positive Guidance

• Scenario: PowerShell script used for system administration tasks
  Description: A system administrator runs a legitimate PowerShell script to automate routine tasks such as user account management or system updates.
  Filter/Exclusion: process.parent_process == "Windows PowerShell" && process.command_line contains "powershell.exe -Command"

• Scenario: Scheduled job execution using PowerShell
  Description: A scheduled task runs a PowerShell script to perform regular maintenance, such as log rotation or service restarts.
  Filter/Exclusion: process.parent_process == "schtasks.exe" && process.command_line contains "powershell.exe"

• Scenario: Microsoft Office macro execution
  Description: A user opens a document containing a macro that is used for data processing or report generation.
  Filter/Exclusion: process.file_name == "WINWORD.EXE" || process.file_name == "EXCEL.EXE" && process.command_line contains "/m"

• Scenario: Windows Management Instrumentation (WMI) query
  Description: A WMI query is executed to retrieve system information or perform remote management tasks.
  Filter/Exclusion: process.file_name == "wmic.exe" || process.file_name == "cscript.exe" && process.command_line contains "query"

• Scenario: Use of Windows Task Scheduler for legitimate automation
  Description: A task created via the Task Scheduler runs a script or executable to perform automated backups or monitoring.
  Filter/Exclusion: process.parent_process == "schtasks.exe" || process.file_name == "taskhost.exe"