/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule Kovter
{ 
	meta:
		maltype = "Kovter"
    reference = "http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93-A-BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE"
		date = "9-19-2016"
		description = "fileless malware"
	strings:
		$type="Microsoft-Windows-Security-Auditing" wide ascii
		$eventid="4688" wide ascii
		$data="Windows\\System32\\regsvr32.exe" wide ascii
		
		$type1="Microsoft-Windows-Security-Auditing" wide ascii
		$eventid1="4689" wide ascii
		$data1="Windows\\System32\\mshta.exe" wide ascii
		
		$type2="Microsoft-Windows-Security-Auditing" wide ascii
		$eventid2="4689" wide ascii
		$data2="Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" wide ascii

		$type3="Microsoft-Windows-Security-Auditing" wide ascii
		$eventid3="4689" wide ascii
		$data3="Windows\\System32\\wbem\\WmiPrvSE.exe" wide ascii


	condition:
		all of them
}