Emerging Threathightest

Potential Pikabot C2 Activity

Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Andreas Braathen (mnemonic.io)Created Fri Oct 27Updated Fri Jan 26cae6cee6-0244-44d2-84ed-e65f548eb7dc2023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsNetwork Connection

ProductWindows← raw: windows

CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Definition

Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\rundll32.exe'
        Image|endswith:
            # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
            - '\SearchFilterHost.exe'
            - '\SearchProtocolHost.exe'
            - '\sndvol.exe'
            - '\wermgr.exe'
            - '\wwahost.exe'
        Protocol: tcp
        Initiated: 'true'
    condition: selection