Potential Pikabot Hollowing Activity
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Sigma rule (View on GitHub)
1title: Potential Pikabot Hollowing Activity
2id: d8937fe7-42d5-4b4d-8178-e089c908f63f
3status: test
4description: |
5 Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
6 The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
7references:
8 - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
9 - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
10 - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
11author: Andreas Braathen (mnemonic.io)
12date: 2023-10-27
13modified: 2024-01-26
14tags:
15 - attack.defense-evasion
16 - attack.t1055.012
17 - detection.emerging-threats
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection:
23 ParentImage|endswith: '\rundll32.exe'
24 Image|endswith:
25 # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
26 - '\SearchFilterHost.exe'
27 - '\SearchProtocolHost.exe'
28 - '\sndvol.exe'
29 - '\wermgr.exe'
30 - '\wwahost.exe'
31 filter_main_legit_sndvol:
32 Image|endswith: '\sndvol.exe'
33 ParentCommandLine|contains: 'mmsys.cpl'
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - Unlikely
37level: high
References
Related rules
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE
- Malicious DLL Load By Compromised 3CXDesktopApp
- Potential Compromised 3CXDesktopApp Execution
- Potential Process Hollowing Activity
- Diamond Sleet APT DLL Sideloading Indicators