Emerging Threathightest

Pingback Backdoor DLL Loading Activity

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Bhabesh RajCreated Wed May 05Updated Fri Feb 1735a7dc42-bc6f-46e0-9f83-81f8e56c8d4b2021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\msdtc.exe'
        ImageLoaded: 'C:\Windows\oci.dll'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0003 · Persistence

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Other

detection.emerging-threats

Related Rules

SimilarEmerging Threathigh

Pingback Backdoor DLL Loading Activity

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Detects similar activity. Both rules may fire on overlapping events.

SimilarEmerging Threathigh

Pingback Backdoor Activity

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b

Status

test

Level

high

Type

Emerging Threat

Created

Wed May 05

Modified

Fri Feb 17

Author

Bhabesh Raj

Path

rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1574.001detection.emerging-threats

View on GitHub