Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

Kapeka Backdoor Scheduled Task Creation

Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan PoudelCreated Wed Jul 036c130acd-0adb-4545-bcc4-2e85d0883c9a2024
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.

Detection Logic
Detection Logic4 selectors
detection:
    selection_eid:
        EventID: 4698
    selection_paths:
        TaskContent|contains:
            - ':\ProgramData\'
            - '\AppData\Local\'
    selection_command:
        TaskContent|contains|all:
            - 'rundll32'
            - '.wll'
            - '#1'
    selection_taskname:
        TaskContent|contains:
            - 'OneDrive' # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases
            - 'Sens Api'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
labs.withsecure.com
3
Resolving title…
app.any.run
4
Resolving title…
virustotal.com
MITRE ATT&CK

Other

detection.emerging-threats
Related Rules
SimilarEmerging Threathigh

Kapeka Backdoor Persistence Activity

Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
6c130acd-0adb-4545-bcc4-2e85d0883c9a
Status
test
Level
high
Type
Emerging Threat
Created
Wed Jul 03
Author
Swachchhanda Shrawan Poudel
Path
rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml
Raw Tags
attack.executionattack.privilege-escalationattack.persistenceattack.t1053.005detection.emerging-threats
View on GitHub