Potential Pikabot Hollowing Activity
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Sigma rule (View on GitHub)
1title: Potential Pikabot Hollowing Activity
2id: d8937fe7-42d5-4b4d-8178-e089c908f63f
3status: test
4description: |
5 Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
6 The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
7references:
8 - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
9 - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
10 - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
11author: Andreas Braathen (mnemonic.io)
12date: 2023-10-27
13modified: 2024-01-26
14tags:
15 - attack.privilege-escalation
16 - attack.defense-evasion
17 - attack.t1055.012
18 - detection.emerging-threats
19logsource:
20 product: windows
21 category: process_creation
22detection:
23 selection:
24 ParentImage|endswith: '\rundll32.exe'
25 Image|endswith:
26 # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
27 - '\SearchFilterHost.exe'
28 - '\SearchProtocolHost.exe'
29 - '\sndvol.exe'
30 - '\wermgr.exe'
31 - '\wwahost.exe'
32 filter_main_legit_sndvol:
33 Image|endswith: '\sndvol.exe'
34 ParentCommandLine|contains: 'mmsys.cpl'
35 condition: selection and not 1 of filter_main_*
36falsepositives:
37 - Unlikely
38level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators
- Exploiting SetupComplete.cmd CVE-2019-1378