Pingback Backdoor DLL Loading Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Sigma rule (View on GitHub)
1title: Pingback Backdoor DLL Loading Activity
2id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
3related:
4 - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # File indicators
5 type: similar
6 - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
7 type: similar
8status: test
9description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
10references:
11 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
12 - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
13author: Bhabesh Raj
14date: 2021/05/05
15modified: 2023/02/17
16tags:
17 - attack.persistence
18 - attack.t1574.001
19 - detection.emerging_threats
20logsource:
21 product: windows
22 category: image_load
23detection:
24 selection:
25 Image|endswith: '\msdtc.exe'
26 ImageLoaded: 'C:\Windows\oci.dll'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: high
References
-
In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- Pingback Backdoor Activity
- Pingback Backdoor File Indicators
- Small Sieve Malware CommandLine Indicator
- HAFNIUM Exchange Exploitation Activity
- Lazarus APT DLL Sideloading Activity