Pingback Backdoor Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Sigma rule (View on GitHub)
1title: Pingback Backdoor Activity
2id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
3related:
4 - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
5 type: similar
6 - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators
7 type: similar
8status: test
9description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
10references:
11 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
12 - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
13author: Bhabesh Raj
14date: 2021-05-05
15modified: 2023-02-17
16tags:
17 - attack.privilege-escalation
18 - attack.defense-evasion
19 - attack.persistence
20 - attack.t1574.001
21 - detection.emerging-threats
22logsource:
23 product: windows
24 category: process_creation
25detection:
26 selection:
27 ParentImage|endswith: '\updata.exe'
28 CommandLine|contains|all:
29 - 'config'
30 - 'msdtc'
31 - 'start'
32 - 'auto'
33 condition: selection
34falsepositives:
35 - Unlikely
36level: high
References
-
In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- APT27 - Emissary Panda Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity
- Pingback Backdoor DLL Loading Activity