Date: 02/12/2025
Severity: Medium
Summary
Detects the execution of a Word document through the WinWord Start Menu shortcut. This technique has been observed in KamiKakaBot samples to trigger the second stage of infection.
Indicators of Compromise (IOC) List
Image : | '\cmd.exe' |
CommandLine : | '/c ' '.lnk ~' 'Start Menu\Programs\Word' '.doc' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | (resourcename = "Windows Security" AND eventtype = "4688" ) AND (processname like "\cmd.exe" AND (commandline like "/c" and commandline like ".lnk ~" and commandline like "Start Menu\Programs\Word" and commandline like ".doc")) |
Detection Query : | (technologygroup = "EDR" ) AND (processname like "\cmd.exe" AND (commandline like "/c" and commandline like ".lnk ~" and commandline like "Start Menu\Programs\Word" and commandline like ".doc")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml