Merge PR #4831 from @swachchhanda000 - Add Kapeka backdoor related Si…

…gma rules

new: Kapeka Backdoor Autorun Persistence
new: Kapeka Backdoor Configuration Persistence
new: Kapeka Backdoor Execution Via RunDLL32.EXE
new: Kapeka Backdoor Loaded Via Rundll32.EXE
new: Kapeka Backdoor Persistence Activity
new: Kapeka Backdoor Scheduled Task Creation
new: Potential Kapeka Decrypted Backdoor Indicator 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules-emerging-threats/2024/Malware/kapeka/Kapeka.md

@@ -0,0 +1,17 @@
+# Kapeka backdoor
+
+Kapeka has been used in assaults against people in Eastern Europe since at least the middle of 2022. Microsoft originally identified the [Kapeka backdoor](https://www.securityweek.com/kapeka-a-new-backdoor-in-sandworms-arsenal-of-aggression/). In a brief explanation released on February 14, 2024, Microsoft referred to this new backdoor as "KnuckleTouch" and linked it to a threat actor organization known as SeaShell Blizzard, which is also the name of the notorious Sandworm gang.
+
+However, it is the security firm [WithSecure](https://labs.withsecure.com/publications/kapeka) that has conducted an in-depth analysis of Kapeka. WithSecure believes that KnuckleTouch is indeed the same as Kapeka. Their assessment suggests that Kapeka is a tool used by an APT (Advanced Persistent Threat) group. 
+
+Despite limited public knowledge about Kapeka, WithSecure has identified its use in specific incidents, particularly in regions like Estonia and Ukraine. Kapeka’s stealth mechanisms allow it to maintain persistence and evade detection. If successfully delivered, it can serve as a powerful tool for long-term cyberespionage.
+
+## Rules
+
+- [Potential Kapeka Decrypted Backdoor Indicator](./file_event_win_malware_kapeka_backdoor_indicators.yml)
+- [Kapeka Backdoor Loaded Via Rundll32.EXE](./image_load_malware_kapeka_backdoor_wll.yml)
+- [Kapeka Backdoor Persistence Activity](./proc_creation_win_malware_kapeka_backdoor_persistence.yml)
+- [Kapeka Backdoor Execution Via RunDLL32.EXE](./proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml)
+- [Kapeka Backdoor Autorun Persistence](./registry_set_malware_kapeka_backdoor_autorun_persistence.yml)
+- [Kapeka Backdoor Configuration Persistence](./registry_set_malware_kapeka_backdoor_configuration.yml)
+- [Kapeka Backdoor Scheduled Task Creation](./win_security_malware_kapeka_backdoor_scheduled_task_creation.yml)

rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml

@@ -0,0 +1,30 @@
+title: Potential Kapeka Decrypted Backdoor Indicator
+id: 20228d05-dd68-435d-8b4e-e7e64938880c
+status: experimental
+description: |
+    Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
+    The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/07/03
+tags:
+    - attack.defense_evasion
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_generic:
+        TargetFilename|contains:
+            - ':\ProgramData\'
+            - '\AppData\Local\'
+        TargetFilename|re: '\\[a-zA-Z]{5,6}\.wll'
+    selection_specific:
+        TargetFilename|endswith:
+            - '\win32log.exe'
+            - '\crdss.exe'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml

@@ -0,0 +1,30 @@
+title: Kapeka Backdoor Loaded Via Rundll32.EXE
+id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
+status: experimental
+description: |
+    Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
+    The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.execution
+    - attack.t1204.002
+    - attack.defense_evasion
+    - attack.t1218.011
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\rundll32.exe'
+        ImageLoaded|contains:
+            - ':\ProgramData'
+            - '\AppData\Local\'
+        ImageLoaded|re: '[a-zA-Z]{5,6}\.wll'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml

@@ -0,0 +1,48 @@
+title: Kapeka Backdoor Persistence Activity
+id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
+status: experimental
+description: |
+    Detects Kapeka backdoor persistence activity.
+    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
+    For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
+    To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
+    Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.persistence
+    - attack.t1053.005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_schtasks_img:
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_schtasks_flags:
+        CommandLine|contains|all:
+            - 'create'
+            - 'ONSTART'
+    selection_reg_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_reg_flags:
+        CommandLine|contains|all:
+            - 'add'
+            - '\Software\Microsoft\Windows\CurrentVersion\Run'
+    selection_backdoor_command:
+        CommandLine|contains|all:
+            - 'rundll32'
+            - '.wll'
+            - '#1'
+        CommandLine|contains:
+            - 'Sens Api'
+            - 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
+    condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml

@@ -0,0 +1,37 @@
+title: Kapeka Backdoor Execution Via RunDLL32.EXE
+id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
+status: experimental
+description: |
+    Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/07/03
+tags:
+    - attack.defense_evasion
+    - attack.t1218.011
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\rundll32.exe'
+        - OriginalFileName: 'RUNDLL32.EXE'
+    selection_backdoor_path:
+        CommandLine|contains:
+            - ':\ProgramData'
+            - '\AppData\Local'
+    selection_backdoor_exec_1:
+        CommandLine|contains|all:
+            - '.wll'
+            - '#1'
+            - ' -d'
+    selection_backdoor_exec_2:
+        # This account for the in the wild variant
+        CommandLine|contains: '.wll'
+        CommandLine|endswith: '#1'
+    condition: selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_*
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml

@@ -0,0 +1,32 @@
+title: Kapeka Backdoor Autorun Persistence
+id: c0c67b21-eb8a-4c84-a395-40473ec3b482
+related:
+    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
+      type: similar
+status: experimental
+description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.persistence
+    - attack.t1547.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection_base:
+        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
+        TargetObject|endswith:
+            - '\Sens Api'
+            - '\OneDrive'
+        Details|contains|all:
+            - ':\WINDOWS\system32\rundll32.exe'
+            - '.wll'
+            - '#1'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml

@@ -0,0 +1,28 @@
+title: Kapeka Backdoor Configuration Persistence
+id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd
+status: experimental
+description: |
+    Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
+    The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
+references:
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1553.003
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\SOFTWARE\Microsoft\Cryptography\Providers\{'
+        TargetObject|endswith: '\Seed'
+    filter_main_empty:
+        Details|contains: '(Empty)'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: medium

rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml

@@ -0,0 +1,43 @@
+title: Kapeka Backdoor Scheduled Task Creation
+id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a
+related:
+    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
+      type: similar
+status: experimental
+description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
+references:
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
+    - https://labs.withsecure.com/publications/kapeka
+    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
+author: Swachchhanda Shrawan Poudel
+date: 2024/07/03
+tags:
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1053.005
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.'
+detection:
+    selection_eid:
+        EventID: 4698
+    selection_paths:
+        TaskContent|contains:
+            - ':\ProgramData\'
+            - '\AppData\Local\'
+    selection_command:
+        TaskContent|contains|all:
+            - 'rundll32'
+            - '.wll'
+            - '#1'
+    selection_taskname:
+        TaskContent|contains:
+            - 'OneDrive' # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases
+            - 'Sens Api'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml

@@ -1,7 +1,8 @@
-title: Potential PendingFileRenameOperations Tamper
+title: Potential PendingFileRenameOperations Tampering
 id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
 status: test
-description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.
+description: |
+    Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
 references:
     - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
     - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
@@ -10,6 +11,7 @@ references:
     - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
 author: frack113
 date: 2023/01/27
+modified: 2024/07/03
 tags:
     - attack.defense_evasion
     - attack.t1036.003
@@ -30,5 +32,5 @@ detection:
             - '\regedit.exe'
     condition: selection_main and 1 of selection_susp_*
 falsepositives:
-    - Installers and updaters may set currently in use files for rename after a reboot.
+    - Installers and updaters may set currently in use files for rename or deletion after a reboot.
 level: medium