Rundll32 Injection into LSASS (RedCanary Threat Detection Report)
Detects instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Rundll32 Injection into LSASS (RedCanary Threat Detection Report)
2id: 7aa20f5c-6100-46c9-8885-427110e0c0e5
3status: experimental
4description: Detects instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/rundll32/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.defense_evasion
11 - attack.t1218.011
12logsource:
13 category: process_access
14 product: windows
15detection:
16 selection:
17 SourceImage|endswith: '\rundll32.exe'
18 TargetImage|endswith: '\lsass.exe'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Rundll32 Application Bypass with DllRegisterServer Function (RedCanary Threat Detection Report)
- Rundll32 Suspicious Process Lineage (RedCanary Threat Detection Report)
- Rundll32 Without a Command Line (RedCanary Threat Detection Report)
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution