Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE

 1title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
 2id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
 3status: experimental
 4description: |
 5    Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
 6    Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
 7    In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.    
 8references:
 9    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
10    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
11author: Alejandro Houspanossian ('@lekz86')
12date: 2024/01/02
13tags:
14    - attack.execution
15    - attack.t1059.003
16    - attack.t1105
17    - attack.t1218
18    - detection.emerging_threats
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection_cmd:
24        CommandLine|contains|all:
25            - 'cmd'
26            - '/c'
27    selection_pipes:
28        CommandLine|contains:
29            - ' & '
30            - ' || '
31    selection_commands_1:
32        CommandLine|contains:
33            - ' curl'
34            - ' wget'
35            - ' timeout '
36            - ' ping '
37    selection_commands_2:
38        CommandLine|contains:
39            - ' rundll32'
40            - ' mkdir '
41    condition: all of selection_*
42falsepositives:
43    - Unknown
44level: medium