diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml new file mode 100644 index 000000000..426ca1fe8 --- /dev/null +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml @@ -0,0 +1,29 @@ +title: Potential KamiKakaBot Activity - Lure Document Execution +id: 24474469-bd80-46cc-9e08-9fbe81bfaaca +status: experimental +description: | + Detects the execution of a Word document via the WinWord Start Menu shortcut. + This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. +references: + - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2024/03/22 +tags: + - attack.execution + - attack.t1059 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - '/c ' + - '.lnk ~' + - 'Start Menu\Programs\Word' + CommandLine|endswith: '.doc' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml new file mode 100644 index 000000000..1d4b78007 --- /dev/null +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml @@ -0,0 +1,32 @@ +title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation +id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961 +status: experimental +description: | + Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. + This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. +references: + - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ + - https://tria.ge/240123-rapteaahhr/behavioral1 +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2024/03/22 +tags: + - attack.persistence + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - ' /create ' + - 'shutdown /l /f' + - 'WEEKLY' + filter_main_system_user: + User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml new file mode 100644 index 000000000..23b7ee21d --- /dev/null +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml @@ -0,0 +1,28 @@ +title: Potential KamiKakaBot Activity - Winlogon Shell Persistence +id: c9b86500-1ec2-4de6-9120-d744c8fb5caf +status: experimental +description: | + Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence. +references: + - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +author: Nasreddine Bencherchali (Nextron Systems), X__Junior +date: 2024/03/22 +tags: + - attack.persistence + - attack.t1547.001 + - detection.emerging_threats +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' + Details|contains|all: + - '-nop -w h' + - '$env' + - 'explorer.exe' + - 'Start-Process' + condition: selection +falsepositives: + - Unlikely +level: high