Potential Pikabot Discovery Activity
Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
Sigma rule (View on GitHub)
1title: Potential Pikabot Discovery Activity
2id: 698d4431-514f-4c82-af4d-cf573872a9f5
3status: test
4description: |
5 Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
6 The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
7references:
8 - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
9 - https://tria.ge/231023-lpw85she57/behavioral2
10author: Andreas Braathen (mnemonic.io)
11date: 2023-10-27
12modified: 2024-01-26
13tags:
14 - attack.discovery
15 - attack.t1016
16 - attack.t1049
17 - attack.t1087
18 - detection.emerging-threats
19logsource:
20 product: windows
21 category: process_creation
22 definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
23detection:
24 selection_parent:
25 - GrandParentImage|endswith: '\rundll32.exe'
26 - ParentImage|endswith:
27 - '\SearchFilterHost.exe'
28 - '\SearchProtocolHost.exe'
29 selection_child:
30 CommandLine:
31 # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
32 - 'ipconfig.exe /all'
33 - 'netstat.exe -aon'
34 - 'whoami.exe /all'
35 condition: all of selection_*
36falsepositives:
37 - Unlikely
38level: high
References
Related rules
- Cisco Discovery
- HackTool - SOAPHound Execution
- Malicious PowerShell Commandlets - ProcessCreation
- Uncommon Connection to Active Directory Web Services
- Firewall Configuration Discovery Via Netsh.EXE