Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
Sigma rule (View on GitHub)
1title: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
2id: cae6cee6-0244-44d2-84ed-e65f548eb7dc
3status: experimental
4description: |
5 Detects the execution of rundll32 that leads to an external network connection.
6 The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
7references:
8 - https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
9author: Andreas Braathen (mnemonic.io)
10date: 2023/10/27
11tags:
12 - attack.command_and_control
13 - attack.t1573
14 - detection.emerging_threats
15logsource:
16 product: windows
17 category: network_connection
18 definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule'
19detection:
20 selection_parent:
21 ParentImage|endswith: '\rundll32.exe'
22 selection_child:
23 Image|endswith:
24 # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
25 - '\searchprotocolhost.exe'
26 - '\sndvol.exe'
27 - '\wermgr.exe'
28 - '\wwahost.exe'
29 selection_connection:
30 Protocol: tcp
31 Initiated: 'true'
32 condition: all of selection_*
33falsepositives:
34 - Unlikely
35level: high
References
Related rules
- Diamond Sleet APT DNS Communication Indicators
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- GALLIUM Artefacts - Builtin
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - Share Access