-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sigma Rule Update (2024-07-04 20:12:30) (#681)
Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
- Loading branch information
1 parent
ae48608
commit 718ca07
Showing
13 changed files
with
481 additions
and
6 deletions.
There are no files selected for viewing
56 changes: 56 additions & 0 deletions
56
...ing-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
title: Kapeka Backdoor Persistence Activity | ||
id: 1dec77f2-6e9b-fc57-6fb4-0cca63a6f812 | ||
related: | ||
- id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects Kapeka backdoor persistence activity. | ||
Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). | ||
For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. | ||
To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. | ||
Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.persistence | ||
- attack.t1053.005 | ||
- sysmon | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
process_creation: | ||
EventID: 4688 | ||
Channel: Security | ||
selection_schtasks_img: | ||
- NewProcessName|endswith: \schtasks.exe | ||
- OriginalFileName: schtasks.exe | ||
selection_schtasks_flags: | ||
CommandLine|contains|all: | ||
- create | ||
- ONSTART | ||
selection_reg_img: | ||
- NewProcessName|endswith: \reg.exe | ||
- OriginalFileName: reg.exe | ||
selection_reg_flags: | ||
CommandLine|contains|all: | ||
- add | ||
- \Software\Microsoft\Windows\CurrentVersion\Run | ||
selection_backdoor_command: | ||
CommandLine|contains|all: | ||
- rundll32 | ||
- .wll | ||
- '#1' | ||
CommandLine|contains: | ||
- Sens Api | ||
- OneDrive # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases | ||
condition: process_creation and ((all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command) | ||
falsepositives: | ||
- Unlikely | ||
level: high | ||
ruletype: Sigma |
45 changes: 45 additions & 0 deletions
45
...eats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
title: Kapeka Backdoor Execution Via RunDLL32.EXE | ||
id: dd06aed2-9af7-db27-2695-f750b4a2aeb8 | ||
related: | ||
- id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12 | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/07/03 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1218.011 | ||
- sysmon | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
process_creation: | ||
EventID: 4688 | ||
Channel: Security | ||
selection_img: | ||
- NewProcessName|endswith: \rundll32.exe | ||
- OriginalFileName: RUNDLL32.EXE | ||
selection_backdoor_path: | ||
CommandLine|contains: | ||
- :\ProgramData | ||
- \AppData\Local | ||
selection_backdoor_exec_1: | ||
CommandLine|contains|all: | ||
- .wll | ||
- '#1' | ||
- ' -d' | ||
selection_backdoor_exec_2: | ||
# This account for the in the wild variant | ||
CommandLine|contains: .wll | ||
CommandLine|endswith: '#1' | ||
condition: process_creation and (selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_*) | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
34 changes: 34 additions & 0 deletions
34
...-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
title: Kapeka Backdoor Autorun Persistence | ||
id: 4f676138-05ac-facf-8305-99c355044751 | ||
status: experimental | ||
description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.persistence | ||
- attack.t1547.001 | ||
- sysmon | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
registry_set: | ||
EventID: 4657 | ||
Channel: Security | ||
selection_base: | ||
ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ||
ObjectName|endswith: | ||
- \Sens Api | ||
- \OneDrive | ||
NewValue|contains|all: | ||
- :\WINDOWS\system32\rundll32.exe | ||
- .wll | ||
- '#1' | ||
condition: registry_set and (all of selection_*) | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
36 changes: 36 additions & 0 deletions
36
...erging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
title: Kapeka Backdoor Configuration Persistence | ||
id: 48e70678-2188-d6d9-11d7-598823558254 | ||
related: | ||
- id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. | ||
The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.persistence | ||
- attack.defense_evasion | ||
- attack.t1553.003 | ||
- sysmon | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
registry_set: | ||
EventID: 4657 | ||
Channel: Security | ||
selection: | ||
ObjectName|contains: \SOFTWARE\Microsoft\Cryptography\Providers\{ | ||
ObjectName|endswith: \Seed | ||
filter_main_empty: | ||
NewValue|contains: (Empty) | ||
condition: registry_set and (selection and not 1 of filter_main_*) | ||
falsepositives: | ||
- Unknown | ||
level: medium | ||
ruletype: Sigma |
48 changes: 48 additions & 0 deletions
48
...eats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
title: Kapeka Backdoor Scheduled Task Creation | ||
id: fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2 | ||
related: | ||
- id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 | ||
type: similar | ||
- id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a | ||
type: derived | ||
status: experimental | ||
description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc. | ||
references: | ||
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.execution | ||
- attack.privilege_escalation | ||
- attack.persistence | ||
- attack.t1053.005 | ||
logsource: | ||
product: windows | ||
service: security | ||
definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.' | ||
detection: | ||
security: | ||
Channel: Security | ||
selection_eid: | ||
EventID: 4698 | ||
selection_paths: | ||
TaskContent|contains: | ||
- :\ProgramData\ | ||
- \AppData\Local\ | ||
selection_command: | ||
TaskContent|contains|all: | ||
- rundll32 | ||
- .wll | ||
- '#1' | ||
selection_taskname: | ||
TaskContent|contains: | ||
- OneDrive # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases | ||
- Sens Api | ||
condition: security and (all of selection_*) | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 changes: 38 additions & 0 deletions
38
...merging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
title: Potential Kapeka Decrypted Backdoor Indicator | ||
id: db6a3631-9d7f-8ee2-6b13-cee9e0c9222a | ||
related: | ||
- id: 20228d05-dd68-435d-8b4e-e7e64938880c | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. | ||
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/07/03 | ||
tags: | ||
- attack.defense_evasion | ||
- sysmon | ||
logsource: | ||
category: file_event | ||
product: windows | ||
detection: | ||
file_event: | ||
EventID: 11 | ||
Channel: Microsoft-Windows-Sysmon/Operational | ||
selection_generic: | ||
TargetFilename|contains: | ||
- :\ProgramData\ | ||
- \AppData\Local\ | ||
TargetFilename|re: \\[a-zA-Z]{5,6}\.wll | ||
selection_specific: | ||
TargetFilename|endswith: | ||
- \win32log.exe | ||
- \crdss.exe | ||
condition: file_event and (1 of selection_*) | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
38 changes: 38 additions & 0 deletions
38
sigma/sysmon/emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
title: Kapeka Backdoor Loaded Via Rundll32.EXE | ||
id: 27405062-da31-0e4b-5b00-98b4d0f4bd50 | ||
related: | ||
- id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects the Kapeka Backdoor binary being loaded by rundll32.exe. | ||
The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.execution | ||
- attack.t1204.002 | ||
- attack.defense_evasion | ||
- attack.t1218.011 | ||
- sysmon | ||
logsource: | ||
category: image_load | ||
product: windows | ||
detection: | ||
image_load: | ||
EventID: 7 | ||
Channel: Microsoft-Windows-Sysmon/Operational | ||
selection: | ||
Image|endswith: \rundll32.exe | ||
ImageLoaded|contains: | ||
- :\ProgramData | ||
- \AppData\Local\ | ||
ImageLoaded|re: '[a-zA-Z]{5,6}\.wll' | ||
condition: image_load and selection | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
56 changes: 56 additions & 0 deletions
56
...ing-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
title: Kapeka Backdoor Persistence Activity | ||
id: f02e313d-1a90-7844-3c8b-694e83be0bde | ||
related: | ||
- id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819 | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects Kapeka backdoor persistence activity. | ||
Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). | ||
For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. | ||
To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. | ||
Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. | ||
references: | ||
- https://labs.withsecure.com/publications/kapeka | ||
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ | ||
- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior | ||
author: Swachchhanda Shrawan Poudel | ||
date: 2024/07/03 | ||
tags: | ||
- attack.persistence | ||
- attack.t1053.005 | ||
- sysmon | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
process_creation: | ||
EventID: 1 | ||
Channel: Microsoft-Windows-Sysmon/Operational | ||
selection_schtasks_img: | ||
- Image|endswith: \schtasks.exe | ||
- OriginalFileName: schtasks.exe | ||
selection_schtasks_flags: | ||
CommandLine|contains|all: | ||
- create | ||
- ONSTART | ||
selection_reg_img: | ||
- Image|endswith: \reg.exe | ||
- OriginalFileName: reg.exe | ||
selection_reg_flags: | ||
CommandLine|contains|all: | ||
- add | ||
- \Software\Microsoft\Windows\CurrentVersion\Run | ||
selection_backdoor_command: | ||
CommandLine|contains|all: | ||
- rundll32 | ||
- .wll | ||
- '#1' | ||
CommandLine|contains: | ||
- Sens Api | ||
- OneDrive # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases | ||
condition: process_creation and ((all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command) | ||
falsepositives: | ||
- Unlikely | ||
level: high | ||
ruletype: Sigma |
Oops, something went wrong.