Pikabot Fake DLL Extension Execution Via Rundll32.EXE

Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.

Sigma rule (View on GitHub)

 1title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
 2id: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
 3status: test
 4description: |
 5        Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
 6references:
 7    - https://github.com/pr0xylife/Pikabot
 8    - https://tria.ge/231004-tp8k6sch9t/behavioral2
 9    - https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior
10    - https://tria.ge/231212-r1bpgaefar/behavioral2
11author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
12date: 2024-01-26
13tags:
14    - detection.emerging-threats
15    - attack.defense-evasion
16    - attack.execution
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection:
22        ParentImage|endswith:
23            - '\cmd.exe'
24            - '\cscript.exe'
25            - '\mshta.exe'
26            - '\powershell.exe'
27            - '\pwsh.exe'
28            - '\regsvr32.exe'
29            - '\wscript.exe'
30        Image|endswith: '\rundll32.exe'
31        CommandLine|contains:
32            - ':\ProgramData\'
33            - ':\Users\Public\'
34            - ':\Windows\Installer\'
35            - '\AppData\Local\Temp\'
36            - '\AppData\Roaming\'
37    filter_main_known_extension:
38        - CommandLine|contains:
39              - '.cpl '
40              - '.cpl,'
41              - '.dll '
42              - '.dll,'
43              - '.inf '
44              - '.inf,'
45        - CommandLine|endswith:
46              - '.cpl'
47              - '.cpl"'
48              - '.dll'
49              - '.dll"'
50              - '.inf'
51              - '.inf"'
52              - ".cpl'"
53              - ".dll'"
54              - ".inf'"
55    condition: selection and not 1 of filter_main_*
56falsepositives:
57    - Unknown
58level: high

References

Related rules

to-top