Kapeka Backdoor Persistence Activity
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Kapeka Backdoor Persistence Activity | Standard | Windows | Execution: Scheduled Task/Job - Scheduled Task (T1053.005); Persistence: Scheduled Task/Job - Scheduled Task (T1053.005); Privilege Escalation: Scheduled Task/Job - Scheduled Task (T1053.005) | Trouble |
About the rule
Rule Type
Standard
Rule Description
The Kapeka backdoor is a toolkit used by the Sandstorm threat group in order to establish persistence in the victim's network and exfiltrate sensitive data. The malware maintains persistence in the system by altering registry keys and running scheduled tasks. This rule detects such executions associated with Kapeka Backdoor for persistence.
Severity
Trouble
Rule journey
Attack chain scenario
Execution → Privilege Escalation → Persistence → Scheduled Task executions → Impact → Data Exfiltration
Impact
- System compromises
- Persistence
- Data theft
Rule Requirement
Prerequisites
- Windows Event Viewer
Logon to Group Policy Management Console with administrative privileges and enable auditing for process creation and termination events. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".
- Sysmon
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".
(((((( PROCESSNAME ENDS_WITH ""\\schtasks.exe"" ) ) OR ((ORIGINALFILENAME = ""schtasks.exe"" ))) AND ((( COMMANDLINE CONTAINS ""create"" ) AND( COMMANDLINE CONTAINS ""onstart"" ) ))) OR (((( COMMANDLINE CONTAINS ""add"" ) AND( COMMANDLINE CONTAINS ""\\software\\microsoft\\windows\\currentversion\\run"" ) )) AND ((( PROCESSNAME ENDS_WITH ""\\reg.exe"" ) ) OR ((ORIGINALFILENAME = ""reg.exe"" ))))) AND (((( COMMANDLINE CONTAINS ""rundll32"" ) AND( COMMANDLINE CONTAINS "".wll"" ) AND( COMMANDLINE CONTAINS ""#1"" ) ) AND (( COMMANDLINE CONTAINS ""sens api"" ) OR ( COMMANDLINE CONTAINS ""onedrive"" ) ))))
This rule is triggered when the executed process is associated with the following suspicious elements:
- \\schtasks.exe/schtasks.exe: A Windows process or file associated with scheduled task executions.
- create: A command line that indicates the creation of a new process.
- onstart: A command line that triggers a process every time the system starts.
- reg.exe/reg.exe: A Windows process or file associated with the Registry Editor used for modifying Registry keys.
Criteria
Action1: actionname = "Process started" AND (((PROCESSNAME endswith "\schtasks.exe" OR ORIGINALFILENAME = "schtasks.exe") AND (COMMANDLINE contains "create" AND COMMANDLINE contains "ONSTART")) OR ((PROCESSNAME endswith "\reg.exe" OR ORIGINALFILENAME = "reg.exe") AND (COMMANDLINE contains "add" AND COMMANDLINE contains "\Software\Microsoft\Windows\CurrentVersion\Run"))) AND ((COMMANDLINE contains "rundll32" AND COMMANDLINE contains ".wll" AND COMMANDLINE contains "#1") AND COMMANDLINE contains "Sens Api,OneDrive") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Execution: Scheduled Task/Job - Scheduled Task (T1053.005); Persistence: Scheduled Task/Job - Scheduled Task (T1053.005); Privilege Escalation: Scheduled Task/Job - Scheduled Task (T1053.005)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.
When this rule is triggered, you're notified of the execution of the Kapeka backdoor malware. This enables you to identify malicious process creations in the system and detect attempts to establish persistence in the network.
Author
Swachchhanda Shrawan Poudel
Future actions
Known False Positives
This rule might be triggered when legitimate processes or files involving scheduled tasks and Windows Registry are created or executed.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- System process audit: Continuously monitor process creation events and scheduled task executions to detect suspicious processes and malware executions.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1047 | Continuously audit scheduled task executions. | |
M1028 | Enforce policies to allow scheduled task executions using authenticated accounts only. | |
M1026 | Grant permissions to increase scheduling priority to administrators only. | |
M1018 | Limit privileges to create scheduled tasks on remote systems to administrators only. |
