From ea4d6095a0a976bed23d78f85d4b8fd85ad2234e Mon Sep 17 00:00:00 2001 From: Andreas Braathen <103580973+netgrain@users.noreply.github.com> Date: Mon, 6 Nov 2023 14:10:52 +0100 Subject: [PATCH] Merge PR #4521 from @netgrain - Add New Rules Related To Pikabot new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ..._win_malware_pikabot_rundll32_activity.yml | 35 +++++++++++++++++++ ...win_malware_pikabot_rundll32_discovery.yml | 33 +++++++++++++++++ ...win_malware_pikabot_rundll32_hollowing.yml | 34 ++++++++++++++++++ tests/logsource.json | 4 +-- 4 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml create mode 100644 rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml create mode 100644 rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml diff --git a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml new file mode 100644 index 000000000..c81794184 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml @@ -0,0 +1,35 @@ +title: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE +id: cae6cee6-0244-44d2-84ed-e65f548eb7dc +status: experimental +description: | + Detects the execution of rundll32 that leads to an external network connection. + The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. +references: + - https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44 +author: Andreas Braathen (mnemonic.io) +date: 2023/10/27 +tags: + - attack.command_and_control + - attack.t1573 + - detection.emerging_threats +logsource: + product: windows + category: network_connection + definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule' +detection: + selection_parent: + ParentImage|endswith: '\rundll32.exe' + selection_child: + Image|endswith: + # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware + - '\searchprotocolhost.exe' + - '\sndvol.exe' + - '\wermgr.exe' + - '\wwahost.exe' + selection_connection: + Protocol: tcp + Initiated: 'true' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml new file mode 100644 index 000000000..110061f38 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml @@ -0,0 +1,33 @@ +title: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE +id: 698d4431-514f-4c82-af4d-cf573872a9f5 +status: experimental +description: | + Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. + The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). +references: + - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 +author: Andreas Braathen (mnemonic.io) +date: 2023/10/27 +tags: + - attack.discovery + - attack.t1016 + - attack.t1049 + - attack.t1087 + - detection.emerging_threats +logsource: + product: windows + category: process_creation + definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule' +detection: + selection_grandparent: + GrandParentImage|endswith: '\rundll32.exe' + selection_cmdline: + CommandLine: + # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware + - 'ipconfig.exe /all' + - 'netstat.exe -aon' + - 'whoami.exe /all' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml new file mode 100644 index 000000000..d74fbacce --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -0,0 +1,34 @@ +title: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE +id: d8937fe7-42d5-4b4d-8178-e089c908f63f +status: experimental +description: | + Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. + The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries +references: + - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62 +author: Andreas Braathen (mnemonic.io) +date: 2023/10/27 +tags: + - attack.defense_evasion + - attack.t1055.012 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: '\rundll32.exe' + selection_child: + Image|endswith: + # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware + - '\searchprotocolhost.exe' + - '\sndvol.exe' + - '\wermgr.exe' + - '\wwahost.exe' + filter_main_legit_sndvol: + Image|endswith: '\sndvol.exe' + ParentCommandLine|contains: 'mmsys.cpl' + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/tests/logsource.json b/tests/logsource.json index d6fe9679b..6c6c10895 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -9,11 +9,11 @@ "process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion", "Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName", "ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId", - "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User"], + "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User", "GrandParentImage"], "file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"], "network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort", "DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname", - "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User"], + "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User", "ParentImage"], "sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"], "process_termination":["Image", "ProcessGuid", "ProcessId", "User"], "driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"],