Kapeka Backdoor Configuration Persistence

Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.

Sigma rule (View on GitHub)

 1title: Kapeka Backdoor Configuration Persistence
 2id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd
 3status: experimental
 4description: |
 5    Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
 6    The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.    
 7references:
 8    - https://labs.withsecure.com/publications/kapeka
 9    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
10author: Swachchhanda Shrawan Poudel
11date: 2024/07/03
12tags:
13    - attack.persistence
14    - attack.defense_evasion
15    - attack.t1553.003
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|contains: '\SOFTWARE\Microsoft\Cryptography\Providers\{'
22        TargetObject|endswith: '\Seed'
23    filter_main_empty:
24        Details|contains: '(Empty)'
25    condition: selection and not 1 of filter_main_*
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top