Execute dll with txt extension from temp location

calendar May 3, 2021  ยท
Share on: linkedin copy

Execute dll with txt extension from temp location

Sigma rule (View on GitHub)

 1title: Execute dll with txt extension from temp location 
 2status: experimental
 3description: Execute dll with txt extension from temp location
 4author: Joe Security
 5date: 2020-02-11
 6id: 200050
 7threatname:
 8behaviorgroup: 1
 9classification: 8
10mitreattack:
11
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine:
18            - '*rundll32*\appdata\local\temp\\*.txt*'
19    condition: selection
20level: critical
to-top