SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.43k stars 2.21k forks source link

Detects Backdoor Kapeka Via Registry Key #4835

Closed cY83rR0H1t closed 5 months ago

cY83rR0H1t commented 7 months ago

Description of the Idea of the Rule

Kapeka: A novel backdoor spotted in Eastern Europe

Public References / Exampel Event Log

https://labs.withsecure.com/publications/kapeka

id: 039abeb3-149a-4d03-8fda-a338d51b9762
status: experimental
description: Detects Backdoor Kapeka Via Registry Key
references:
    - https://labs.withsecure.com/publications/kapeka
author: Rohit Jain
date: 2024/04/24
tags:
    - attack.Defense_Evasion
logsource:
    product: windows
    category: process_creation
detection:
    event id:
        - 4688
        - 1
    selection:
        Image|endswith:
            - \\(?i)reg(\.exe|)
        Parent Image|endswith:
            - \powershell.exe
            - \cmd.exe
        CommandLine|Contains:
            - \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
            - (?i)"sens api"
            - rundll32.exe
            - .*(\.wll)
            - \#1
    condition: selection
falsepositives:
    - N/A
level: high
nasbench commented 5 months ago

This is already covered in #4831