Kapeka Backdoor Autorun Persistence

Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.

Sigma rule (View on GitHub)

 1title: Kapeka Backdoor Autorun Persistence
 2id: c0c67b21-eb8a-4c84-a395-40473ec3b482
 3related:
 4    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
 5      type: similar
 6status: experimental
 7description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
 8references:
 9    - https://labs.withsecure.com/publications/kapeka
10    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
11author: Swachchhanda Shrawan Poudel
12date: 2024/07/03
13tags:
14    - attack.persistence
15    - attack.t1547.001
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
22        TargetObject|endswith:
23            - '\Sens Api'
24            - '\OneDrive'
25        Details|contains|all:
26            - ':\WINDOWS\system32\rundll32.exe'
27            - '.wll'
28            - '#1'
29    condition: selection
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top