Pingback Backdoor DLL Loading Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Sigma rule (View on GitHub)
1title: Pingback Backdoor DLL Loading Activity
2id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
3related:
4 - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # File indicators
5 type: similar
6 - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
7 type: similar
8status: test
9description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
10references:
11 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
12 - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
13author: Bhabesh Raj
14date: 2021-05-05
15modified: 2023-02-17
16tags:
17 - attack.privilege-escalation
18 - attack.defense-evasion
19 - attack.persistence
20 - attack.t1574.001
21 - detection.emerging-threats
22logsource:
23 product: windows
24 category: image_load
25detection:
26 selection:
27 Image|endswith: '\msdtc.exe'
28 ImageLoaded: 'C:\Windows\oci.dll'
29 condition: selection
30falsepositives:
31 - Unlikely
32level: high
References
-
In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- APT27 - Emissary Panda Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity
- Pingback Backdoor Activity