T1016.001 Potential Pikabot C2 Activity Suspicious Process Created By Rundll32.EXE

T1016.001 - Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE

DESCRIPTION

Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).

Credit: Andreas Braathen (mnemonic.io)

Example:

APT1 used the ipconfig /all command to gather network configuration information. APT1

Reference:

https://github.com/SigmaHQ/sigma/blob/65ceeeea6fec56c673cf9ff6a4a9b14dc4eea191/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml

Related

https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242

ATT&CK TACTICS

T1016 - System Network Configuration Discovery
T1049 - System Network Connections Discovery
T1087 - Account Discovery

Data Source(s): Process

SENTINEL RULE QUERY

let selection_cmdline = dynamic(['ipconfig.exe /all','netstat.exe -aon','whoami.exe /all']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where InitiatingProcessParentFileName == "rundll32.exe" //grandparent process to be rundll32.exe
| where ProcessCommandLine has_any (selection_cmdline)

Triage

1. This is a high fidelity threat hunt, analyse and triage the findings
2. Understand context of the activities, e.g. user, time, process, intent

False Positives

1.Unlikely, high fidelity threat hunt

VERSION

Version 1.0 (date: 07/02/2024)