Potential KamiKakaBot Activity - Shutdown Schedule Task Creation

    Monday, January 6, 2025 In: Threat Research Print

    Date: 01/06/2025

    Severity: Medium

    Summary

    Detects the creation of a scheduled task configured to run weekly and executes the "shutdown /l /f" command. This behavior has been observed in KamiKakaBot samples as a method to maintain persistence on a system.

    Indicators of Compromise (IOC) List

    Image : 

    '\schtasks.exe'

    CommandLine : 

    - ' /create '

    - 'shutdown /l /f'

    - 'WEEKLY'

    User: 

    - 'AUTHORI'

    - 'AUTORI'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    		((resourcename = "Windows Security"  and eventtype = "4688"  ) AND processname like "\schtasks.exe"  ) AND (commandline like "/create" and commandline like "shutdown /l /f" and commandline like "WEEKLY") and employeeid not IN ("AUTHORI", "AUTORI")

    Detection Query : 

    		((technologygroup = "EDR" ) AND processname like "\schtasks.exe"  ) AND (commandline like "/create" and commandline like "shutdown /l /f" and commandline like "WEEKLY") and employeeid not IN ("AUTHORI", "AUTORI")

    Reference:   

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml 


    Tags

    MalwareSigmaKamiKakaBot

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.