Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
Sigma rule (View on GitHub)
1title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
2id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
3status: test
4description: |
5 Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
6references:
7 - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
8author: Nasreddine Bencherchali (Nextron Systems), X__Junior
9date: 2024-03-22
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547.001
14 - detection.emerging-threats
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
21 Details|contains|all:
22 - '-nop -w h'
23 - '$env'
24 - 'explorer.exe'
25 - 'Start-Process'
26 condition: selection
27falsepositives:
28 - Unlikely
29level: high
References
-
We’ve been monitoring KamiKakaBot samples since 09/2023. And at the start of 2024 we’ve noticed 2 new samples being uploaded to Virustotal.
Read More
Related rules
- Forest Blizzard APT - Custom Protocol Handler Creation
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- Kapeka Backdoor Autorun Persistence
- Leviathan Registry Key Activity
- Potential Ryuk Ransomware Activity