Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_schtasks_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_schtasks_flags:
CommandLine|contains|all:
- 'create'
- 'ONSTART'
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_flags:
CommandLine|contains|all:
- 'add'
- '\Software\Microsoft\Windows\CurrentVersion\Run'
selection_backdoor_command:
CommandLine|contains|all:
- 'rundll32'
- '.wll'
- '#1'
CommandLine|contains:
- 'Sens Api'
- 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_commandFalse positives are unlikely for most environments. High confidence detection.
Sub-techniques
Other