Potential Pikabot Hollowing Activity
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Sigma rule (View on GitHub)
1title: Potential Pikabot Hollowing Activity
2id: d8937fe7-42d5-4b4d-8178-e089c908f63f
3status: experimental
4description: |
5 Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
6 The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
7references:
8 - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
9 - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
10 - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
11author: Andreas Braathen (mnemonic.io)
12date: 2023/10/27
13modified: 2024/01/26
14tags:
15 - attack.defense_evasion
16 - attack.t1055.012
17 - detection.emerging_threats
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection:
23 ParentImage|endswith: '\rundll32.exe'
24 Image|endswith:
25 # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
26 - '\SearchFilterHost.exe'
27 - '\SearchProtocolHost.exe'
28 - '\sndvol.exe'
29 - '\wermgr.exe'
30 - '\wwahost.exe'
31 filter_main_legit_sndvol:
32 Image|endswith: '\sndvol.exe'
33 ParentCommandLine|contains: 'mmsys.cpl'
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - Unlikely
37level: high
References
Related rules
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE
- Rhadamanthys Stealer Module Launch Via Rundll32.EXE
- Malware Shellcode in Verclsid Target Process
- Potential Process Hollowing Activity
- Potential Exploitation Attempt From Office Application