Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
Sigma rule (View on GitHub)
1title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
2id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
3status: experimental
4description: |
5 Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
6 This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
7references:
8 - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
9 - https://tria.ge/240123-rapteaahhr/behavioral1
10author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
11date: 2024/03/22
12tags:
13 - attack.persistence
14 - detection.emerging_threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\schtasks.exe'
21 CommandLine|contains|all:
22 - ' /create '
23 - 'shutdown /l /f'
24 - 'WEEKLY'
25 filter_main_system_user:
26 User|contains: # covers many language settings
27 - 'AUTHORI'
28 - 'AUTORI'
29 condition: selection and not 1 of filter_main_*
30falsepositives:
31 - Unknown
32level: medium
References
-
We’ve been monitoring KamiKakaBot samples since 09/2023. And at the start of 2024 we’ve noticed 2 new samples being uploaded to Virustotal.
Read More -
Check this report malware sample 6a39e41394e418f1d96fdded86c1a994ce359c4cfb943daad3cb97125c25f6ab, with a score of 10 out of 10.
Read More
Related rules
- Potential KamiKakaBot Activity - Winlogon Shell Persistence
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution
- COLDSTEEL RAT Service Persistence Execution
- Potential COLDSTEEL Persistence Service DLL Creation