Pikabot Fake DLL Extension Execution Via Rundll32.EXE

Rule Info

Name
Pikabot Fake DLL Extension Execution Via Rundll32.EXE
Author
Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
Description
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
Reference
https://github.com/pr0xylife/Pikabot
Date
2024-01-26 00:00:00
Modified
None
Id
1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
Tags
detection.emerging_threats attack.defense_evasion attack.execution DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1bf0ba65-9a39-42a2-9271-31d31bf2f0bf

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #4678 from @swachchhanda000 - Adds and updates Pikabot and rundll32 related rules
2024-01-29
2fc533039
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022