Potential Gamarue DLL Filename (RedCanary Threat Detection Report)
Detects Gamarue DLL filename in command line strings. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Potential Gamarue DLL Filename (RedCanary Threat Detection Report)
2id: 62989cd5-4d35-4ce8-a1fd-73673c25d0f4
3status: experimental
4description: Detects Gamarue DLL filename in command line strings. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/gamarue/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.privilege_escalation
11 - attack.t1055.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\rundll32.exe'
18 CommandLine|re: '\S{10,70}\.\S{10,70},\w{16}'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
More than five years after a major disruption, Gamarue is still worming around, often spreading dangerous payloads.
Read More
Related rules
- Find Binary Searching for Executables with Setuid or Setguid Bit (RedCanary Threat Detection Report)
- Powershell Injecting Into Anything (RedCanary Threat Detection Report)
- Process Executing Sans Command Line (RedCanary Threat Detection Report)
- Suspicious Network Connections (RedCanary Threat Detection Report)
- CVE-2021-3156 Exploitation Attempt