Execute DLL with spoofed extension
Execute DLL with spoofed extension
Sigma rule (View on GitHub)
1title: Execute DLL with spoofed extension
2status: experimental
3description: Execute DLL with spoofed extension
4author: Joe Security
5date: 2020-03-24
6id: 200068
7threatname:
8behaviorgroup: 1
9classification: 8
10mitreattack:
11
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine:
18 - '*rundll32*.html,DllRegisterServer*'
19 - '*rundll32*.htm,DllRegisterServer*'
20 - '*rundll32*.txt,DllRegisterServer*'
21 - '*rundll32*.png,DllRegisterServer*'
22 - '*rundll32*.jpeg,DllRegisterServer*'
23 - '*rundll32*.jpg,DllRegisterServer*'
24 - '*rundll32 c:\programdata\\*.pdf*'
25 - '*rundll32 c:\programdata\\*.txt*'
26 - '*rundll32 c:\programdata\\*.jpg*'
27 - '*rundll32 c:\programdata\\*.png*'
28 - '*rundll32 c:\programdata\\*.jpeg*'
29 - '*rundll32 c:\users\public\\*.pdf*'
30 - '*rundll32 c:\users\public\\*.txt*'
31 - '*rundll32 c:\users\public\\*.jpg*'
32 - '*rundll32 c:\users\public\\*.png*'
33 - '*rundll32 c:\users\public\\*.jpeg*'
34 - '*rundll32*\\*.pdf*'
35 - '*rundll32*\\*.txt*'
36 - '*rundll32*\\*.jpg*'
37 - '*rundll32*\\*.png*'
38 - '*rundll32*\\*.jpeg*'
39 - '*rundll32*\\*.dat*'
40 selection1:
41 - '*rundll32*.Data*'
42 condition: selection and not selection1
43level: critical