Closed cY83rR0H1t closed 4 months ago
Kapeka: A novel backdoor spotted in Eastern Europe
https://labs.withsecure.com/publications/kapeka
id: 039abeb3-149a-4d03-8fda-a338d51b9762 status: experimental description: Detects Backdoor Kapeka Via Registry Key references: - https://labs.withsecure.com/publications/kapeka author: Rohit Jain date: 2024/04/24 tags: - attack.Defense_Evasion logsource: product: windows category: process_creation detection: event id: - 4688 - 1 selection: Image|endswith: - \\(?i)reg(\.exe|) Parent Image|endswith: - \powershell.exe - \cmd.exe CommandLine|Contains: - \SOFTWARE\Microsoft\Windows\CurrentVersion\Run - (?i)"sens api" - rundll32.exe - .*(\.wll) - \#1 condition: selection falsepositives: - N/A level: high
This is already covered in #4831
Description of the Idea of the Rule
Kapeka: A novel backdoor spotted in Eastern Europe
Public References / Exampel Event Log
https://labs.withsecure.com/publications/kapeka