Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot

new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml

@@ -0,0 +1,35 @@
+title: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
+id: cae6cee6-0244-44d2-84ed-e65f548eb7dc
+status: experimental
+description: |
+    Detects the execution of rundll32 that leads to an external network connection.
+    The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
+references:
+    - https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
+author: Andreas Braathen (mnemonic.io)
+date: 2023/10/27
+tags:
+    - attack.command_and_control
+    - attack.t1573
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: network_connection
+    definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule'
+detection:
+    selection_parent:
+        ParentImage|endswith: '\rundll32.exe'
+    selection_child:
+        Image|endswith:
+            # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
+            - '\searchprotocolhost.exe'
+            - '\sndvol.exe'
+            - '\wermgr.exe'
+            - '\wwahost.exe'
+    selection_connection:
+        Protocol: tcp
+        Initiated: 'true'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml

@@ -0,0 +1,33 @@
+title: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
+id: 698d4431-514f-4c82-af4d-cf573872a9f5
+status: experimental
+description: |
+    Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups.
+    The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
+references:
+    - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
+author: Andreas Braathen (mnemonic.io)
+date: 2023/10/27
+tags:
+    - attack.discovery
+    - attack.t1016
+    - attack.t1049
+    - attack.t1087
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: process_creation
+    definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
+detection:
+    selection_grandparent:
+        GrandParentImage|endswith: '\rundll32.exe'
+    selection_cmdline:
+        CommandLine:
+            # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
+            - 'ipconfig.exe /all'
+            - 'netstat.exe -aon'
+            - 'whoami.exe /all'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml

@@ -0,0 +1,34 @@
+title: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
+id: d8937fe7-42d5-4b4d-8178-e089c908f63f
+status: experimental
+description: |
+    Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
+    The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
+references:
+    - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
+author: Andreas Braathen (mnemonic.io)
+date: 2023/10/27
+tags:
+    - attack.defense_evasion
+    - attack.t1055.012
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_parent:
+        ParentImage|endswith: '\rundll32.exe'
+    selection_child:
+        Image|endswith:
+            # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
+            - '\searchprotocolhost.exe'
+            - '\sndvol.exe'
+            - '\wermgr.exe'
+            - '\wwahost.exe'
+    filter_main_legit_sndvol:
+        Image|endswith: '\sndvol.exe'
+        ParentCommandLine|contains: 'mmsys.cpl'
+    condition: all of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Unlikely
+level: high

tests/logsource.json

@@ -9,11 +9,11 @@
                 "process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion",
                                     "Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName",
                                     "ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId",
-                                    "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User"],
+                                    "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User", "GrandParentImage"],
                 "file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
                 "network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort",
                                     "DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname",
-                                    "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User"],
+                                    "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User", "ParentImage"],
                 "sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"],
                 "process_termination":["Image", "ProcessGuid", "ProcessId", "User"],
                 "driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"],