Potential Pikabot C2 Activity
Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
Sigma rule (View on GitHub)
1title: Potential Pikabot C2 Activity
2id: cae6cee6-0244-44d2-84ed-e65f548eb7dc
3status: experimental
4description: |
5 Detects the execution of rundll32 that leads to an external network connection.
6 The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
7references:
8 - https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
9 - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
10 - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
11author: Andreas Braathen (mnemonic.io)
12date: 2023/10/27
13modified: 2024/01/26
14tags:
15 - attack.command_and_control
16 - attack.t1573
17 - detection.emerging_threats
18logsource:
19 product: windows
20 category: network_connection
21 definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule'
22detection:
23 selection:
24 ParentImage|endswith: '\rundll32.exe'
25 Image|endswith:
26 # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
27 - '\SearchFilterHost.exe'
28 - '\SearchProtocolHost.exe'
29 - '\sndvol.exe'
30 - '\wermgr.exe'
31 - '\wwahost.exe'
32 Protocol: tcp
33 Initiated: 'true'
34 condition: selection
35falsepositives:
36 - Unlikely
37level: high
References
Related rules
- Potential Peach Sandstorm APT C2 Communication Activity
- Potential SocGholish Second Stage C2 DNS Query
- Diamond Sleet APT DNS Communication Indicators
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- GALLIUM Artefacts - Builtin