Sigma Rule Update (2024-07-04 20:12:30) (#681)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>

sigma/builtin/emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml

@@ -0,0 +1,56 @@
+title: Kapeka Backdoor Persistence Activity
+id: 1dec77f2-6e9b-fc57-6fb4-0cca63a6f812
+related:
+    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
+      type: derived
+status: experimental
+description: |
+    Detects Kapeka backdoor persistence activity.
+    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
+    For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
+    To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
+    Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.persistence
+    - attack.t1053.005
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_schtasks_img:
+        - NewProcessName|endswith: \schtasks.exe
+        - OriginalFileName: schtasks.exe
+    selection_schtasks_flags:
+        CommandLine|contains|all:
+            - create
+            - ONSTART
+    selection_reg_img:
+        - NewProcessName|endswith: \reg.exe
+        - OriginalFileName: reg.exe
+    selection_reg_flags:
+        CommandLine|contains|all:
+            - add
+            - \Software\Microsoft\Windows\CurrentVersion\Run
+    selection_backdoor_command:
+        CommandLine|contains|all:
+            - rundll32
+            - .wll
+            - '#1'
+        CommandLine|contains:
+            - Sens Api
+            - OneDrive   # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
+    condition: process_creation and ((all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command)
+falsepositives:
+    - Unlikely
+level: high
+ruletype: Sigma

sigma/builtin/emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml

@@ -0,0 +1,45 @@
+title: Kapeka Backdoor Execution Via RunDLL32.EXE
+id: dd06aed2-9af7-db27-2695-f750b4a2aeb8
+related:
+    - id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
+      type: derived
+status: experimental
+description: |
+    Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/07/03
+tags:
+    - attack.defense_evasion
+    - attack.t1218.011
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        - NewProcessName|endswith: \rundll32.exe
+        - OriginalFileName: RUNDLL32.EXE
+    selection_backdoor_path:
+        CommandLine|contains:
+            - :\ProgramData
+            - \AppData\Local
+    selection_backdoor_exec_1:
+        CommandLine|contains|all:
+            - .wll
+            - '#1'
+            - ' -d'
+    selection_backdoor_exec_2:
+        # This account for the in the wild variant
+        CommandLine|contains: .wll
+        CommandLine|endswith: '#1'
+    condition: process_creation and (selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml

@@ -0,0 +1,34 @@
+title: Kapeka Backdoor Autorun Persistence
+id: 4f676138-05ac-facf-8305-99c355044751
+status: experimental
+description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.persistence
+    - attack.t1547.001
+    - sysmon
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 4657
+        Channel: Security
+    selection_base:
+        ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+        ObjectName|endswith:
+            - \Sens Api
+            - \OneDrive
+        NewValue|contains|all:
+            - :\WINDOWS\system32\rundll32.exe
+            - .wll
+            - '#1'
+    condition: registry_set and (all of selection_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml

@@ -0,0 +1,36 @@
+title: Kapeka Backdoor Configuration Persistence
+id: 48e70678-2188-d6d9-11d7-598823558254
+related:
+    - id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd
+      type: derived
+status: experimental
+description: |
+    Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
+    The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1553.003
+    - sysmon
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 4657
+        Channel: Security
+    selection:
+        ObjectName|contains: \SOFTWARE\Microsoft\Cryptography\Providers\{
+        ObjectName|endswith: \Seed
+    filter_main_empty:
+        NewValue|contains: (Empty)
+    condition: registry_set and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml

@@ -0,0 +1,48 @@
+title: Kapeka Backdoor Scheduled Task Creation
+id: fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2
+related:
+    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
+      type: similar
+    - id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a
+      type: derived
+status: experimental
+description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1053.005
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.'
+detection:
+    security:
+        Channel: Security
+    selection_eid:
+        EventID: 4698
+    selection_paths:
+        TaskContent|contains:
+            - :\ProgramData\
+            - \AppData\Local\
+    selection_command:
+        TaskContent|contains|all:
+            - rundll32
+            - .wll
+            - '#1'
+    selection_taskname:
+        TaskContent|contains:
+            - OneDrive   # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases
+            - Sens Api
+    condition: security and (all of selection_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml

@@ -1,10 +1,11 @@
-title: Potential PendingFileRenameOperations Tamper
+title: Potential PendingFileRenameOperations Tampering
 id: cddc552b-0261-3637-470e-9296ae9dd79f
 related:
     - id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
       type: derived
 status: test
-description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.
+description: |
+    Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
 references:
     - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
     - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
@@ -13,6 +14,7 @@ references:
     - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
 author: frack113
 date: 2023/01/27
+modified: 2024/07/03
 tags:
     - attack.defense_evasion
     - attack.t1036.003
@@ -37,6 +39,6 @@ detection:
             - \regedit.exe
     condition: registry_set and (selection_main and 1 of selection_susp_*)
 falsepositives:
-    - Installers and updaters may set currently in use files for rename after a reboot.
+    - Installers and updaters may set currently in use files for rename or deletion after a reboot.
 level: medium
 ruletype: Sigma

sigma/sysmon/emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml

@@ -0,0 +1,38 @@
+title: Potential Kapeka Decrypted Backdoor Indicator
+id: db6a3631-9d7f-8ee2-6b13-cee9e0c9222a
+related:
+    - id: 20228d05-dd68-435d-8b4e-e7e64938880c
+      type: derived
+status: experimental
+description: |
+    Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
+    The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/07/03
+tags:
+    - attack.defense_evasion
+    - sysmon
+logsource:
+    category: file_event
+    product: windows
+detection:
+    file_event:
+        EventID: 11
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection_generic:
+        TargetFilename|contains:
+            - :\ProgramData\
+            - \AppData\Local\
+        TargetFilename|re: \\[a-zA-Z]{5,6}\.wll
+    selection_specific:
+        TargetFilename|endswith:
+            - \win32log.exe
+            - \crdss.exe
+    condition: file_event and (1 of selection_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/sysmon/emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml

@@ -0,0 +1,38 @@
+title: Kapeka Backdoor Loaded Via Rundll32.EXE
+id: 27405062-da31-0e4b-5b00-98b4d0f4bd50
+related:
+    - id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
+      type: derived
+status: experimental
+description: |
+    Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
+    The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.execution
+    - attack.t1204.002
+    - attack.defense_evasion
+    - attack.t1218.011
+    - sysmon
+logsource:
+    category: image_load
+    product: windows
+detection:
+    image_load:
+        EventID: 7
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        Image|endswith: \rundll32.exe
+        ImageLoaded|contains:
+            - :\ProgramData
+            - \AppData\Local\
+        ImageLoaded|re: '[a-zA-Z]{5,6}\.wll'
+    condition: image_load and selection
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/sysmon/emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml

@@ -0,0 +1,56 @@
+title: Kapeka Backdoor Persistence Activity
+id: f02e313d-1a90-7844-3c8b-694e83be0bde
+related:
+    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
+      type: derived
+status: experimental
+description: |
+    Detects Kapeka backdoor persistence activity.
+    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
+    For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
+    To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
+    Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.persistence
+    - attack.t1053.005
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection_schtasks_img:
+        - Image|endswith: \schtasks.exe
+        - OriginalFileName: schtasks.exe
+    selection_schtasks_flags:
+        CommandLine|contains|all:
+            - create
+            - ONSTART
+    selection_reg_img:
+        - Image|endswith: \reg.exe
+        - OriginalFileName: reg.exe
+    selection_reg_flags:
+        CommandLine|contains|all:
+            - add
+            - \Software\Microsoft\Windows\CurrentVersion\Run
+    selection_backdoor_command:
+        CommandLine|contains|all:
+            - rundll32
+            - .wll
+            - '#1'
+        CommandLine|contains:
+            - Sens Api
+            - OneDrive   # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
+    condition: process_creation and ((all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command)
+falsepositives:
+    - Unlikely
+level: high
+ruletype: Sigma