Potential Pikabot Discovery Activity

Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).

Sigma rule (View on GitHub)

 1title: Potential Pikabot Discovery Activity
 2id: 698d4431-514f-4c82-af4d-cf573872a9f5
 3status: experimental
 4description: |
 5    Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
 6    The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).    
 7references:
 8    - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
 9    - https://tria.ge/231023-lpw85she57/behavioral2
10author: Andreas Braathen (mnemonic.io)
11date: 2023-10-27
12modified: 2024-01-26
13tags:
14    - attack.discovery
15    - attack.t1016
16    - attack.t1049
17    - attack.t1087
18    - detection.emerging-threats
19logsource:
20    product: windows
21    category: process_creation
22    definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
23detection:
24    selection_parent:
25        - GrandParentImage|endswith: '\rundll32.exe'
26        - ParentImage|endswith:
27              - '\SearchFilterHost.exe'
28              - '\SearchProtocolHost.exe'
29    selection_child:
30        CommandLine:
31            # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
32            - 'ipconfig.exe /all'
33            - 'netstat.exe -aon'
34            - 'whoami.exe /all'
35    condition: all of selection_*
36falsepositives:
37    - Unlikely
38level: high

References

Related rules

to-top