Merge PR #4781 from @nasbench - KamiKakaBot Malware Related Rules

new: Potential KamiKakaBot Activity - Lure Document Execution new: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation new: Potential KamiKakaBot Activity - Winlogon Shell Persistence --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
2024-03-25 12:35:50 +01:00
parent 961932ee3f
commit c0f7733837
3 changed files with 89 additions and 0 deletions
@@ -0,0 +1,29 @@
+title: Potential KamiKakaBot Activity - Lure Document Execution
+id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
+status: experimental
+description: |
+    Detects the execution of a Word document via the WinWord Start Menu shortcut.
+    This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
+references:
+    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2024/03/22
+tags:
+    - attack.execution
+    - attack.t1059
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains|all:
+            - '/c '
+            - '.lnk ~'
+            - 'Start Menu\Programs\Word'
+        CommandLine|endswith: '.doc'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,32 @@
+title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
+id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
+status: experimental
+description: |
+    Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
+    This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
+references:
+    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
+    - https://tria.ge/240123-rapteaahhr/behavioral1
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2024/03/22
+tags:
+    - attack.persistence
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - ' /create '
+            - 'shutdown /l /f'
+            - 'WEEKLY'
+    filter_main_system_user:
+        User|contains: # covers many language settings
+            - 'AUTHORI'
+            - 'AUTORI'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,28 @@
+title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
+id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
+status: experimental
+description: |
+    Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
+references:
+    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior
+date: 2024/03/22
+tags:
+    - attack.persistence
+    - attack.t1547.001
+    - detection.emerging_threats
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
+        Details|contains|all:
+            - '-nop -w h'
+            - '$env'
+            - 'explorer.exe'
+            - 'Start-Process'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high