Emerging Threathightest

Potential Kapeka Decrypted Backdoor Indicator

Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)Created Wed Jul 0320228d05-dd68-435d-8b4e-e7e64938880c2024

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection_generic:
        TargetFilename|contains:
            - ':\ProgramData\'
            - '\AppData\Local\'
        TargetFilename|re: '\\[a-zA-Z]{5,6}\.wll'
    selection_specific:
        TargetFilename|endswith:
            - '\win32log.exe'
            - '\crdss.exe'
    condition: 1 of selection_*