Kapeka Backdoor Execution Via RunDLL32.EXE

About the rule

Rule Type

Standard

Rule Description

Kapeka backdoor is a toolkit used for persistence, and rundll32.exe is a legitimate Windows component that runs DLL files as programs. Attackers often abuse rundll32.exe to execute malicious DLLs linked to the Kapeka backdoor to evade detection. This rule helps detect such Kapeka backdoor DLL executions via rundll32.exe.

Severity

Trouble

Rule journey

Attack chain scenario

Execution → Persistence → Defense Evasion → rundll.exe → Impact

Impact

• Persistence
• Defense evasion
• Data compromise

Rule Requirement

Prerequisites

• Windows Event Viewer

Logon to Group Policy Management Console with administrative privileges and enable auditing for process creation and termination events. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

• Sysmon

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

(((((( PROCESSNAME ENDS_WITH ""\\rundll32.exe"" ) ) OR ((ORIGINALFILENAME = ""rundll32.exe"" )))) AND (((( COMMANDLINE CONTAINS "":\\programdata"" ) OR ( COMMANDLINE CONTAINS ""\\appdata\\local"" ) )))) AND (((( COMMANDLINE CONTAINS "".wll"" ) AND( COMMANDLINE CONTAINS ""#1"" ) AND( COMMANDLINE CONTAINS ""-d"" ) )) OR ((( COMMANDLINE CONTAINS "".wll"" ) ) AND (( COMMANDLINE ENDS_WITH ""#1"" ) ))))

This rule is triggered when the executed process is associated with the following suspicious elements:

• \\rundll32.exe/rundll32.exe: Refers to the process of file responsible for running DLLs as programs.
• :\\programdata and \\appdata\\local: Locations where malicious DLLs are stored for persistence and execution.
• .wll, #1,and -d: Refers to parameters associated with DLL executions.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: System Binary Proxy Execution - Rundll32 (T1218.011)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.

When this rule is triggered, you're notified of DLL executions involving Kapeka backdoor malware. This enables you to identify malicious process executions in the system and detect attempts to establish persistence in the network.

Author

Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule might be triggered when legitimate DLL executions occur from the Program Data or Application Data folders.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit file executions: Continuously monitor DLL executions specifically from Program Data or Application Data folders as these are often abused by the Kapeka backdoor for persistence.

Mitigation