Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
Sigma rule (View on GitHub)
1title: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
2id: 698d4431-514f-4c82-af4d-cf573872a9f5
3status: experimental
4description: |
5 Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups.
6 The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
7references:
8 - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
9author: Andreas Braathen (mnemonic.io)
10date: 2023/10/27
11tags:
12 - attack.discovery
13 - attack.t1016
14 - attack.t1049
15 - attack.t1087
16 - detection.emerging_threats
17logsource:
18 product: windows
19 category: process_creation
20 definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
21detection:
22 selection_grandparent:
23 GrandParentImage|endswith: '\rundll32.exe'
24 selection_cmdline:
25 CommandLine:
26 # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
27 - 'ipconfig.exe /all'
28 - 'netstat.exe -aon'
29 - 'whoami.exe /all'
30 condition: all of selection_*
31falsepositives:
32 - Unlikely
33level: high
References
Related rules
- Cisco Discovery
- Use Get-NetTCPConnection
- HackTool - SharpView Execution
- Net.exe Execution
- Potential Baby Shark Malware Activity