Potential Pikabot Hollowing Activity

    Tuesday, December 31, 2024 In: Threat Research Print

    Date: 12/31/2024

    Severity: Medium

    Summary

    Potential Pikabot Hollowing Activity refers to the detection of rundll32.exe being used to invoke legitimate Windows binaries as part of a malware attack. Specifically, the Pikabot malware utilizes this technique for process hollowing, where it injects malicious code into a legitimate Windows process. This allows Pikabot to run its payload in the context of trusted system processes, making it harder to detect. The detection focuses on identifying unusual or suspicious use of rundll32 to execute such activities, which may indicate an active infection or exploitation attempt.

    Indicators of Compromise (IOC) List

    ParentImage

    '\rundll32.exe'

    Image

    '\SearchFilterHost.exe'

    '\SearchProtocolHost.exe'

    '\sndvol.exe'

    '\wermgr.exe'

    '\wwahost.exe'

    '\sndvol.exe'

    ParentCommandLine

    'mmsys.cpl'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename = "Windows Security" AND eventtype = "4688" AND parentprocessname = "\rundll32.exe" AND processname IN ("\SearchFilterHost.exe","\SearchProtocolHost.exe","\sndvol.exe","\wermgr.exe","\wwahost.exe") AND processname not like "\sndvol.exe" AND parentcommandline not like "mmsys.cpl")

    Detection Query 2

    (technologygroup = "EDR" AND parentprocessname = "\rundll32.exe" AND processname IN ("\SearchFilterHost.exe","\SearchProtocolHost.exe","\sndvol.exe","\wermgr.exe","\wwahost.exe") AND processname not like "\sndvol.exe" AND parentcommandline not like "mmsys.cpl")

    Detection Query 3

    resourcename in ("Sysmon") AND eventtype = "1" AND parentimage = "\rundll32.exe" AND image IN ("\SearchFilterHost.exe","\SearchProtocolHost.exe","\sndvol.exe","\wermgr.exe","\wwahost.exe") AND image not like "\sndvol.exe" AND parentcommandline not like "mmsys.cpl"

    Detection Query 4

    technologygroup = "EDR" AND parentimage = "\rundll32.exe" AND image IN ("\SearchFilterHost.exe","\SearchProtocolHost.exe","\sndvol.exe","\wermgr.exe","\wwahost.exe") AND image not like "\sndvol.exe" AND parentcommandline not like "mmsys.cpl"

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml    


    Tags

    MalwareSigmaExploitationPikabot

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.