Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE

Rule Info

Name
Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
Author
Andreas Braathen (mnemonic.io)
Description
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Reference
https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
Date
2023-10-27 00:00:00
Modified
None
Id
d8937fe7-42d5-4b4d-8178-e089c908f63f
Tags
attack.defense_evasion attack.t1055.012 detection.emerging_threats DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d8937fe7-42d5-4b4d-8178-e089c908f63f

Rule History

Author
Title
Date
Commit
Andreas Braathen
Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot
2023-11-06
ea4d6095a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022