Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE

Rule Info

Name
Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
Author
Andreas Braathen (mnemonic.io)
Description
Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
Reference
https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
Date
2023-10-27 00:00:00
Modified
None
Id
cae6cee6-0244-44d2-84ed-e65f548eb7dc
Tags
attack.command_and_control attack.t1573 detection.emerging_threats DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=cae6cee6-0244-44d2-84ed-e65f548eb7dc

Rule History

Author
Title
Date
Commit
Andreas Braathen
Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot
2023-11-06
ea4d6095a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022