Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
Sigma rule (View on GitHub)
1title: Potential KamiKakaBot Activity - Lure Document Execution
2id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
3status: test
4description: |
5 Detects the execution of a Word document via the WinWord Start Menu shortcut.
6 This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
7references:
8 - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
9author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
10date: 2024-03-22
11tags:
12 - attack.execution
13 - attack.t1059
14 - detection.emerging-threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\cmd.exe'
21 CommandLine|contains|all:
22 - '/c '
23 - '.lnk ~'
24 - 'Start Menu\Programs\Word'
25 CommandLine|endswith: '.doc'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
We’ve been monitoring KamiKakaBot samples since 09/2023. And at the start of 2024 we’ve noticed 2 new samples being uploaded to Virustotal.
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- DarkGate - Drop DarkGate Loader In C:\Temp Directory
- DarkGate - Autoit3.EXE Execution Parameters
- DarkGate - Autoit3.EXE File Creation By Uncommon Process