Kapeka Backdoor Scheduled Task Creation

    Monday, February 17, 2025 In: Threat Research Print

    Date: 02/17/2025

    Severity: High

    Summary

    Detects the creation of a scheduled task associated with the Kapeka backdoor by analyzing attributes like file paths, command-line flags, and other indicators.

    Indicators of Compromise (IOC) List

    EventID

    4698

    TaskContent

    - ':\ProgramData\'

    - '\AppData\Local\'

    - 'rundll32'

    - '.wll'

    - '#1'

    - 'OneDrive' # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases

    - 'Sens Api'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    (resourcename = "Windows Security"  AND eventtype = "4698") AND (taskcontent like ":\ProgramData" or taskcontent like "\AppData\Local") AND (taskcontent like "rundll32" and taskcontent like ".wll" and taskcontent like "#1") AND (taskcontent like "OneDrive" or taskcontent like "Sens Api")

    Detection Query :

    (technologygroup = "EDR") AND (taskcontent like ":\ProgramData" or taskcontent like "\AppData\Local") AND (taskcontent like "rundll32" and taskcontent like ".wll" and taskcontent like "#1") AND (taskcontent like "OneDrive" or taskcontent like "Sens Api")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml


    Tags

    MalwareSigmaBackdoorKapeka

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.