attack.t1573

Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE

Nov 6, 2023 · attack.command_and_control attack.t1573 detection.emerging_threats ·

Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.

Activity from Anonymous IP Addresses

Oct 12, 2023 · attack.command_and_control attack.t1573 ·

Share on:

Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.

Activity from Infrequent Country

Oct 12, 2023 · attack.command_and_control attack.t1573 ·

Share on:

Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.

Activity from Suspicious IP Addresses

Oct 12, 2023 · attack.command_and_control attack.t1573 ·

Share on:

Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.

Suspicious SSL Connection

Jan 27, 2023 · attack.command_and_control attack.t1573 ·

Share on:

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.