Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detects Backdoor Kapeka Via Registry Key #4835

Open
cY83rR0H1t opened this issue Apr 24, 2024 · 0 comments
Open

Detects Backdoor Kapeka Via Registry Key #4835

cY83rR0H1t opened this issue Apr 24, 2024 · 0 comments
Assignees
@nasbench

Comments

@cY83rR0H1t
Copy link

Description of the Idea of the Rule

Kapeka: A novel backdoor spotted in Eastern Europe

Public References / Exampel Event Log

https://labs.withsecure.com/publications/kapeka

id: 039abeb3-149a-4d03-8fda-a338d51b9762
status: experimental
description: Detects Backdoor Kapeka Via Registry Key
references:
    - https://labs.withsecure.com/publications/kapeka
author: Rohit Jain
date: 2024/04/24
tags:
    - attack.Defense_Evasion
logsource:
    product: windows
    category: process_creation
detection:
    event id:
        - 4688
        - 1
    selection:
        Image|endswith:
            - \\(?i)reg(\.exe|)
        Parent Image|endswith:
            - \powershell.exe
            - \cmd.exe
        CommandLine|Contains:
            - \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
            - (?i)"sens api"
            - rundll32.exe
            - .*(\.wll)
            - \#1
    condition: selection
falsepositives:
    - N/A
level: high
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasbench @cY83rR0H1t