Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
Sigma rule (View on GitHub)
1title: Potential KamiKakaBot Activity - Lure Document Execution
2id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
3status: experimental
4description: |
5 Detects the execution of a Word document via the WinWord Start Menu shortcut.
6 This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
7references:
8 - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
9author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
10date: 2024-03-22
11tags:
12 - attack.execution
13 - attack.t1059
14 - detection.emerging-threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\cmd.exe'
21 CommandLine|contains|all:
22 - '/c '
23 - '.lnk ~'
24 - 'Start Menu\Programs\Word'
25 CommandLine|endswith: '.doc'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
We’ve been monitoring KamiKakaBot samples since 09/2023. And at the start of 2024 we’ve noticed 2 new samples being uploaded to Virustotal.
Read More
Related rules
- Lazarus Group Activity
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- Potential CVE-2021-40444 Exploitation Attempt
- REvil Kaseya Incident Malware Patterns
- Turla Group Lateral Movement