Potential Pikabot Hollowing Activity
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Sigma rule (View on GitHub)
1title: Potential Pikabot Hollowing Activity
2id: d8937fe7-42d5-4b4d-8178-e089c908f63f
3status: experimental
4description: |
5 Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
6 The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
7references:
8 - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
9 - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
10 - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
11author: Andreas Braathen (mnemonic.io)
12date: 2023-10-27
13modified: 2024-01-26
14tags:
15 - attack.defense-evasion
16 - attack.t1055.012
17 - detection.emerging-threats
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection:
23 ParentImage|endswith: '\rundll32.exe'
24 Image|endswith:
25 # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
26 - '\SearchFilterHost.exe'
27 - '\SearchProtocolHost.exe'
28 - '\sndvol.exe'
29 - '\wermgr.exe'
30 - '\wwahost.exe'
31 filter_main_legit_sndvol:
32 Image|endswith: '\sndvol.exe'
33 ParentCommandLine|contains: 'mmsys.cpl'
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - Unlikely
37level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- COLDSTEEL Persistence Service Creation