Kapeka Backdoor Autorun Persistence
Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
Sigma rule (View on GitHub)
1title: Kapeka Backdoor Autorun Persistence
2id: c0c67b21-eb8a-4c84-a395-40473ec3b482
3related:
4 - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
5 type: similar
6status: experimental
7description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
8references:
9 - https://labs.withsecure.com/publications/kapeka
10 - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
11author: Swachchhanda Shrawan Poudel
12date: 2024-07-03
13tags:
14 - attack.persistence
15 - attack.t1547.001
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
22 TargetObject|endswith:
23 - '\Sens Api'
24 - '\OneDrive'
25 Details|contains|all:
26 - ':\WINDOWS\system32\rundll32.exe'
27 - '.wll'
28 - '#1'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
Related rules
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification