Kapeka Backdoor Persistence Activity

Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.

Sigma rule (View on GitHub)

 1title: Kapeka Backdoor Persistence Activity
 2id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
 3status: experimental
 4description: |
 5    Detects Kapeka backdoor persistence activity.
 6    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
 7    For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
 8    To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
 9    Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.    
10references:
11    - https://labs.withsecure.com/publications/kapeka
12    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
13    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
14author: Swachchhanda Shrawan Poudel
15date: 2024/07/03
16tags:
17    - attack.persistence
18    - attack.t1053.005
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_schtasks_img:
24        - Image|endswith: '\schtasks.exe'
25        - OriginalFileName: 'schtasks.exe'
26    selection_schtasks_flags:
27        CommandLine|contains|all:
28            - 'create'
29            - 'ONSTART'
30    selection_reg_img:
31        - Image|endswith: '\reg.exe'
32        - OriginalFileName: 'reg.exe'
33    selection_reg_flags:
34        CommandLine|contains|all:
35            - 'add'
36            - '\Software\Microsoft\Windows\CurrentVersion\Run'
37    selection_backdoor_command:
38        CommandLine|contains|all:
39            - 'rundll32'
40            - '.wll'
41            - '#1'
42        CommandLine|contains:
43            - 'Sens Api'
44            - 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
45    condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command
46falsepositives:
47    - Unlikely
48level: high

References

Related rules

to-top