Potential Pikabot Hollowing Activity
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Sigma rule (View on GitHub)
1title: Potential Pikabot Hollowing Activity
2id: d8937fe7-42d5-4b4d-8178-e089c908f63f
3status: test
4description: |
5 Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
6 The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
7references:
8 - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
9 - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
10 - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
11author: Andreas Braathen (mnemonic.io)
12date: 2023-10-27
13modified: 2024-01-26
14tags:
15 - attack.privilege-escalation
16 - attack.stealth
17 - attack.t1055.012
18 - detection.emerging-threats
19logsource:
20 product: windows
21 category: process_creation
22detection:
23 selection:
24 ParentImage|endswith: '\rundll32.exe'
25 Image|endswith:
26 # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
27 - '\SearchFilterHost.exe'
28 - '\SearchProtocolHost.exe'
29 - '\sndvol.exe'
30 - '\wermgr.exe'
31 - '\wwahost.exe'
32 filter_main_legit_sndvol:
33 Image|endswith: '\sndvol.exe'
34 ParentCommandLine|contains: 'mmsys.cpl'
35 condition: selection and not 1 of filter_main_*
36falsepositives:
37 - Unlikely
38level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- Atomic MacOS Stealer - Persistence Indicators
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)