Pingback Backdoor File Indicators
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Sigma rule (View on GitHub)
1title: Pingback Backdoor File Indicators
2id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
3related:
4 - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
5 type: similar
6 - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
7 type: similar
8status: test
9description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
10references:
11 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
12 - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
13author: Bhabesh Raj
14date: 2021/05/05
15modified: 2023/02/17
16tags:
17 - attack.persistence
18 - attack.t1574.001
19 - detection.emerging_threats
20logsource:
21 product: windows
22 category: file_event
23detection:
24 selection:
25 Image|endswith: 'updata.exe'
26 TargetFilename: 'C:\Windows\oci.dll'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: high
References
-
In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- Small Sieve Malware CommandLine Indicator
- COLDSTEEL Persistence Service Creation
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- DEWMODE Webshell Access
- Defrag Deactivation