Pingback Backdoor Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
ParentImage|endswith: '\updata.exe'
CommandLine|contains|all:
- 'config'
- 'msdtc'
- 'start'
- 'auto'
condition: selectionFalse positives are unlikely for most environments. High confidence detection.
Sub-techniques
Other
Pingback Backdoor DLL Loading Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Detects similar activity. Both rules may fire on overlapping events.
Pingback Backdoor File Indicators
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Detects similar activity. Both rules may fire on overlapping events.