Kapeka Backdoor Loaded Via Rundll32EXE
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Image Loaded" AND (PROCESSNAME endswith "\rundll32.exe" AND OBJECTNAME contains ":\ProgramData,\AppData\Local" AND OBJECTNAME endswith ".wll")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME,Action1.SIGNATURE,Action1.SIGNATURESTATUS
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel


