Pingback Backdoor Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Sigma rule (View on GitHub)
1title: Pingback Backdoor Activity
2id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
3related:
4 - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
5 type: similar
6 - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators
7 type: similar
8status: test
9description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
10references:
11 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
12 - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
13author: Bhabesh Raj
14date: 2021-05-05
15modified: 2023-02-17
16tags:
17 - attack.persistence
18 - attack.t1574.001
19 - detection.emerging-threats
20logsource:
21 product: windows
22 category: process_creation
23detection:
24 selection:
25 ParentImage|endswith: '\updata.exe'
26 CommandLine|contains|all:
27 - 'config'
28 - 'msdtc'
29 - 'start'
30 - 'auto'
31 condition: selection
32falsepositives:
33 - Unlikely
34level: high
References
-
In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- Pingback Backdoor DLL Loading Activity
- Pingback Backdoor File Indicators
- Small Sieve Malware CommandLine Indicator
- Aruba Network Service Potential DLL Sideloading
- COLDSTEEL Persistence Service Creation