Date: 02/13/2025
Severity: High
Summary
Detects modifications to the "Winlogon" registry key, where the "Shell" value is set to a value associated with KamiKakaBot samples to establish persistence.
Indicators of Compromise (IOC) List
TargetObject : | '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' |
Details : | '-nop -w h' '$env' 'explorer.exe' 'Start-Process' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | ((resourcename = "Sysmon" AND eventtype = "13" ) AND targetobject like "\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" ) AND (details like "-nop -w h" AND details like "$env" AND details like "explorer.exe" AND details like "Start-Process" ) |
Detection Query : | ((technologygroup = "EDR" ) AND targetobject like "\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" ) AND (details like "-nop -w h" AND details like "$env" AND details like "explorer.exe" AND details like "Start-Process" ) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml