Potential Pikabot C2 Activity

Rule Info

Name
Potential Pikabot C2 Activity
Author
Andreas Braathen (mnemonic.io)
Description
Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
Date
2023-10-27 00:00:00
Modified
2024-01-26 00:00:00
Id
cae6cee6-0244-44d2-84ed-e65f548eb7dc
Tags
attack.command_and_control attack.t1573 detection.emerging_threats DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #4678 from @swachchhanda000 - Adds and updates Pikabot and rundll32 related rules
2024-01-29
ahouspan
Merge PR #4650 from @ahouspan - Process Creation Cmdline Matches Patterns Observed in Pikabot Infections
2024-01-10
Andreas Braathen
Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot
2023-11-06