From c0f77338374eb0ef33830182f423f8a79fca6420 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 25 Mar 2024 12:35:50 +0100
Subject: [PATCH] Merge PR #4781 from @nasbench - KamiKakaBot Malware Related
 Rules

new: Potential KamiKakaBot Activity - Lure Document Execution
new: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
new: Potential KamiKakaBot Activity - Winlogon Shell Persistence

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 ...malware_kamikakabot_lnk_lure_execution.yml | 29 +++++++++++++++++
 ...lware_kamikakabot_schtasks_persistence.yml | 32 +++++++++++++++++++
 ...lware_kamikakabot_winlogon_persistence.yml | 28 ++++++++++++++++
 3 files changed, 89 insertions(+)
 create mode 100644 rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml
 create mode 100644 rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml
 create mode 100644 rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml

diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml
new file mode 100644
index 000000000..426ca1fe8
--- /dev/null
+++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml
@@ -0,0 +1,29 @@
+title: Potential KamiKakaBot Activity - Lure Document Execution
+id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
+status: experimental
+description: |
+    Detects the execution of a Word document via the WinWord Start Menu shortcut.
+    This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
+references:
+    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2024/03/22
+tags:
+    - attack.execution
+    - attack.t1059
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains|all:
+            - '/c '
+            - '.lnk ~'
+            - 'Start Menu\Programs\Word'
+        CommandLine|endswith: '.doc'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml
new file mode 100644
index 000000000..1d4b78007
--- /dev/null
+++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml
@@ -0,0 +1,32 @@
+title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
+id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
+status: experimental
+description: |
+    Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
+    This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
+references:
+    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
+    - https://tria.ge/240123-rapteaahhr/behavioral1
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2024/03/22
+tags:
+    - attack.persistence
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - ' /create '
+            - 'shutdown /l /f'
+            - 'WEEKLY'
+    filter_main_system_user:
+        User|contains: # covers many language settings
+            - 'AUTHORI'
+            - 'AUTORI'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml
new file mode 100644
index 000000000..23b7ee21d
--- /dev/null
+++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml
@@ -0,0 +1,28 @@
+title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
+id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
+status: experimental
+description: |
+    Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
+references:
+    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior
+date: 2024/03/22
+tags:
+    - attack.persistence
+    - attack.t1547.001
+    - detection.emerging_threats
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
+        Details|contains|all:
+            - '-nop -w h'
+            - '$env'
+            - 'explorer.exe'
+            - 'Start-Process'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high