Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Sigma rule (View on GitHub)
1title: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
2id: d8937fe7-42d5-4b4d-8178-e089c908f63f
3status: experimental
4description: |
5 Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
6 The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
7references:
8 - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
9author: Andreas Braathen (mnemonic.io)
10date: 2023/10/27
11tags:
12 - attack.defense_evasion
13 - attack.t1055.012
14 - detection.emerging_threats
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_parent:
20 ParentImage|endswith: '\rundll32.exe'
21 selection_child:
22 Image|endswith:
23 # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
24 - '\searchprotocolhost.exe'
25 - '\sndvol.exe'
26 - '\wermgr.exe'
27 - '\wwahost.exe'
28 filter_main_legit_sndvol:
29 Image|endswith: '\sndvol.exe'
30 ParentCommandLine|contains: 'mmsys.cpl'
31 condition: all of selection_* and not 1 of filter_main_*
32falsepositives:
33 - Unlikely
34level: high
References
Related rules
- Diamond Sleet APT DLL Sideloading Indicators
- Diamond Sleet APT Scheduled Task Creation - Registry
- Potential CVE-2023-36884 Exploitation Dropped File
- Equation Group DLL_U Export Function Load
- Malicious DLL Load By Compromised 3CXDesktopApp