Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE

Rule Info

Name
Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
Author
Andreas Braathen (mnemonic.io)
Description
Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
Reference
https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
Date
2023-10-27 00:00:00
Modified
None
Id
698d4431-514f-4c82-af4d-cf573872a9f5
Tags
attack.discovery attack.t1016 attack.t1049 attack.t1087 detection.emerging_threats DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=698d4431-514f-4c82-af4d-cf573872a9f5

Rule History

Author
Title
Date
Commit
Andreas Braathen
Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot
2023-11-06
ea4d6095a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022