Potential Pikabot C2 Activity

Rule Info

Name
Potential Pikabot C2 Activity
Author
Andreas Braathen (mnemonic.io)
Description
Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
Reference
https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
Date
2023-10-27 00:00:00
Modified
2024-01-26 00:00:00
Id
cae6cee6-0244-44d2-84ed-e65f548eb7dc
Tags
attack.command-and-control attack.t1573 detection.emerging-threats DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=cae6cee6-0244-44d2-84ed-e65f548eb7dc

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Swachchhanda Shrawan Poudel
Merge PR #4678 from @swachchhanda000 - Adds and updates Pikabot and rundll32 related rules
2024-01-29
2fc533039
ahouspan
Merge PR #4650 from @ahouspan - Process Creation Cmdline Matches Patterns Observed in Pikabot Infections
2024-01-10
ff4dee3c5
Andreas Braathen
Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot
2023-11-06
ea4d6095a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022