Pingback Backdoor File Indicators

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Sigma rule (View on GitHub)

 1title: Pingback Backdoor File Indicators
 2id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
 3related:
 4    - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
 5      type: similar
 6    - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
 7      type: similar
 8status: test
 9description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
10references:
11    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
12    - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
13author: Bhabesh Raj
14date: 2021-05-05
15modified: 2023-02-17
16tags:
17    - attack.persistence
18    - attack.t1574.001
19    - detection.emerging-threats
20logsource:
21    product: windows
22    category: file_event
23detection:
24    selection:
25        Image|endswith: 'updata.exe'
26        TargetFilename: 'C:\Windows\oci.dll'
27    condition: selection
28falsepositives:
29    - Unlikely
30level: high

References

Related rules

to-top