Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
Sigma rule (View on GitHub)
1title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
2id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
3status: experimental
4description: |
5 Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
6references:
7 - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
8author: Nasreddine Bencherchali (Nextron Systems), X__Junior
9date: 2024/03/22
10tags:
11 - attack.persistence
12 - attack.t1547.001
13 - detection.emerging_threats
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
20 Details|contains|all:
21 - '-nop -w h'
22 - '$env'
23 - 'explorer.exe'
24 - 'Start-Process'
25 condition: selection
26falsepositives:
27 - Unlikely
28level: high
References
-
We’ve been monitoring KamiKakaBot samples since 09/2023. And at the start of 2024 we’ve noticed 2 new samples being uploaded to Virustotal.
Read More
Related rules
- Potential Ryuk Ransomware Activity
- Suspicious VBScript UN2452 Pattern
- Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution