Pikabot Fake DLL Extension Execution Via Rundll32.EXE

Rule Info

Name
Pikabot Fake DLL Extension Execution Via Rundll32.EXE
Author
Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
Description
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
Date
2024-01-26 00:00:00
Modified
None
Id
1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
Tags
detection.emerging-threats attack.defense-evasion attack.execution DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
Swachchhanda Shrawan Poudel
Merge PR #4678 from @swachchhanda000 - Adds and updates Pikabot and rundll32 related rules
2024-01-29