Detects the execution of rundll32 that leads to an external network connection.
The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.