Emerging Threatmediumtest
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)Created Fri Mar 22fe9e8ba9-4419-41e6-a574-bd9f7b3af9612024
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /create '
- 'shutdown /l /f'
- 'WEEKLY'
filter_main_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Other
detection.emerging-threats
Rule Metadata
Rule ID
fe9e8ba9-4419-41e6-a574-bd9f7b3af961
Status
test
Level
medium
Type
Emerging Threat
Created
Fri Mar 22
Path
rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml
Raw Tags
attack.persistencedetection.emerging-threats