Potential Pikabot Discovery Activity

 1title: Potential Pikabot Discovery Activity
 2id: 698d4431-514f-4c82-af4d-cf573872a9f5
 3status: experimental
 4description: |
 5    Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
 6    The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).    
 7references:
 8    - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
 9    - https://tria.ge/231023-lpw85she57/behavioral2
10author: Andreas Braathen (mnemonic.io)
11date: 2023/10/27
12modified: 2024/01/26
13tags:
14    - attack.discovery
15    - attack.t1016
16    - attack.t1049
17    - attack.t1087
18    - detection.emerging_threats
19logsource:
20    product: windows
21    category: process_creation
22    definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
23detection:
24    selection_parent:
25        - GrandParentImage|endswith: '\rundll32.exe'
26        - ParentImage|endswith:
27              - '\SearchFilterHost.exe'
28              - '\SearchProtocolHost.exe'
29    selection_child:
30        CommandLine:
31            # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
32            - 'ipconfig.exe /all'
33            - 'netstat.exe -aon'
34            - 'whoami.exe /all'
35    condition: all of selection_*
36falsepositives:
37    - Unlikely
38level: high