Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
Andreas Braathen (mnemonic.io)
Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
attack.discovery attack.t1016 attack.t1049 attack.t1087 detection.emerging_threats DEMO
Link to Public Repo
Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot