Pikabot Fake DLL Extension Execution Via Rundll32.EXE

Rule Info

Name
Pikabot Fake DLL Extension Execution Via Rundll32.EXE
Author
Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
Description
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
Reference
https://github.com/pr0xylife/Pikabot
Date
2024-01-26 00:00:00
Modified
None
Id
1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
Tags
attack.execution detection.emerging-threats attack.stealth
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1bf0ba65-9a39-42a2-9271-31d31bf2f0bf

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
frack113
Merge PR #5169 from @frack113 - Add missing `detection.emerging-threats` tags
2025-01-30
62f6d2797
github-actions[bot]
Merge PR #5101 from @nasbench - Promote older rules status from `experimental` to `test`
2024-12-01
936734901
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Swachchhanda Shrawan Poudel
Merge PR #4678 from @swachchhanda000 - Adds and updates Pikabot and rundll32 related rules
2024-01-29
2fc533039
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022