Rule Info
Name
Pikabot Fake DLL Extension Execution Via Rundll32.EXE
Author
Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
Description
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
Reference
Date
2024-01-26 00:00:00
Modified
None
Id
1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
Tags
detection.emerging-threats attack.defense-evasion attack.execution DEMO
Type
Community Rule
Link to Public Repo