Kapeka Backdoor Configuration Persistence

calendar Jan 30, 2025 · attack.persistence attack.defense-evasion attack.t1553.003 detection.emerging-threats  ·
Share on: linkedin copy

Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.

Sigma rule (View on GitHub)

 1title: Kapeka Backdoor Configuration Persistence
 2id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd
 3status: experimental
 4description: |
 5    Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
 6    The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.    
 7references:
 8    - https://labs.withsecure.com/publications/kapeka
 9    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
10author: Swachchhanda Shrawan Poudel
11date: 2024-07-03
12tags:
13    - attack.persistence
14    - attack.defense-evasion
15    - attack.t1553.003
16    - detection.emerging-threats
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|contains: '\SOFTWARE\Microsoft\Cryptography\Providers\{'
23        TargetObject|endswith: '\Seed'
24    filter_main_empty:
25        Details|contains: '(Empty)'
26    condition: selection and not 1 of filter_main_*
27falsepositives:
28    - Unknown
29level: medium
yaml

References

Related rules

to-top