Kapeka Backdoor Persistence Activity

Status: test
Severity: high
Log source: product windows, category process_creation
Author: Swachchhanda Shrawan Poudel
Source: github.com/SigmaHQ/sigma

Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053.005` Scheduled Task/Job: Scheduled Task
Persistence	`T1053.005` Scheduled Task/Job: Scheduled Task
Privilege Escalation	`T1053.005` Scheduled Task/Job: Scheduled Task

Event coverage

Provider	Event	Title
Sysmon	Event ID 1	Process creation

Rule body yaml

title: Kapeka Backdoor Persistence Activity
id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
status: test
description: |
    Detects Kapeka backdoor persistence activity.
    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
    For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
    To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
    Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_schtasks_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_schtasks_flags:
        CommandLine|contains|all:
            - 'create'
            - 'ONSTART'
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_flags:
        CommandLine|contains|all:
            - 'add'
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
    selection_backdoor_command:
        CommandLine|contains|all:
            - 'rundll32'
            - '.wll'
            - '#1'
        CommandLine|contains:
            - 'Sens Api'
            - 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
    condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command
falsepositives:
    - Unlikely
level: high

Stages and Predicates

Stage 0: `condition`

(all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command

Stage 1: `selection_schtasks_img`

selection_schtasks_img:
    - Image|endswith: '\schtasks.exe'
    - OriginalFileName: 'schtasks.exe'

Stage 2: `selection_schtasks_flags`

selection_schtasks_flags:
    CommandLine|contains|all:
        - 'create'
        - 'ONSTART'

Stage 3: `selection_reg_img`

selection_reg_img:
    - Image|endswith: '\reg.exe'
    - OriginalFileName: 'reg.exe'

Stage 4: `selection_reg_flags`

selection_reg_flags:
    CommandLine|contains|all:
        - 'add'
        - '\Software\Microsoft\Windows\CurrentVersion\Run'

Stage 5: `selection_backdoor_command`

selection_backdoor_command:
    CommandLine|contains|all:
        - 'rundll32'
        - '.wll'
        - '#1'
    CommandLine|contains:
        - 'Sens Api'
        - 'OneDrive'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`#1` corpus 2 (sigma 2) `.wll` corpus 2 (sigma 2) `ONSTART` corpus 2 (sigma 1, kusto 1) `OneDrive` `Sens Api` `\Software\Microsoft\Windows\CurrentVersion\Run` corpus 3 (sigma 3) `add` corpus 34 (sigma 26, splunk 4, chronicle 2, kusto 2) `create` corpus 24 (sigma 17, splunk 7) `rundll32` corpus 26 (sigma 23, chronicle 2, kusto 1)
`Image`	ends_with	`\reg.exe` corpus 58 (sigma 58) `\schtasks.exe` corpus 56 (sigma 56)
`OriginalFileName`	eq	`reg.exe` corpus 42 (sigma 32, splunk 8, elastic 2) `schtasks.exe` corpus 23 (sigma 18, splunk 4, elastic 1)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Kapeka Backdoor Persistence Activity

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection_schtasks_img`

Stage 2: `selection_schtasks_flags`

Stage 3: `selection_reg_img`

Stage 4: `selection_reg_flags`

Stage 5: `selection_backdoor_command`

Indicators

Keyboard shortcuts

Search operators

Kapeka Backdoor Persistence Activity

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection_schtasks_img

Stage 2: selection_schtasks_flags

Stage 3: selection_reg_img

Stage 4: selection_reg_flags

Stage 5: selection_backdoor_command

Indicators

Stage 0: `condition`

Stage 1: `selection_schtasks_img`

Stage 2: `selection_schtasks_flags`

Stage 3: `selection_reg_img`

Stage 4: `selection_reg_flags`

Stage 5: `selection_backdoor_command`