Potential Pikabot C2 Activity

Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.

Sigma rule (View on GitHub)

 1title: Potential Pikabot C2 Activity
 2id: cae6cee6-0244-44d2-84ed-e65f548eb7dc
 3status: test
 4description: |
 5    Detects the execution of rundll32 that leads to an external network connection.
 6    The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.    
 7references:
 8    - https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
 9    - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
10    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
11author: Andreas Braathen (mnemonic.io)
12date: 2023-10-27
13modified: 2024-01-26
14tags:
15    - attack.command-and-control
16    - attack.t1573
17    - detection.emerging-threats
18logsource:
19    product: windows
20    category: network_connection
21    definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule'
22detection:
23    selection:
24        ParentImage|endswith: '\rundll32.exe'
25        Image|endswith:
26            # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
27            - '\SearchFilterHost.exe'
28            - '\SearchProtocolHost.exe'
29            - '\sndvol.exe'
30            - '\wermgr.exe'
31            - '\wwahost.exe'
32        Protocol: tcp
33        Initiated: 'true'
34    condition: selection
35falsepositives:
36    - Unlikely
37level: high

References

Related rules

to-top