Emerging Threathightest

Potential Pikabot Discovery Activity

Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Andreas Braathen (mnemonic.io)Created Fri Oct 27Updated Fri Jan 26698d4431-514f-4c82-af4d-cf573872a9f52023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Definition

Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule

Detection Logic

detection:
    selection_parent:
        - GrandParentImage|endswith: '\rundll32.exe'
        - ParentImage|endswith:
              - '\SearchFilterHost.exe'
              - '\SearchProtocolHost.exe'
    selection_child:
        CommandLine:
            # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
            - 'ipconfig.exe /all'
            - 'netstat.exe -aon'
            - 'whoami.exe /all'
    condition: all of selection_*