Rundll32 Injection into LSASS
The following pseudo-detector should help security teams detect instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Rundll32 Injection into LSASS
2id: c6a45ac1-b909-423b-907b-a9bfde31ab9c
3status: experimental
4description: |
5 The following pseudo-detector should help security teams detect instances
6 where Rundll32 opens a cross process handle into LSASS to collect credentials.
7 Part of the RedCanary 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/rundll32/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15 - attack.t1218.011
16 - attack.t1055
17logsource:
18 category: process_access
19 product: windows
20detection:
21 selection:
22 SourceImage|endswith: '\rundll32.exe'
23 TargetImage|endswith: '\lsass.exe'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Application Bypass with DllRegisterServer Function
- Rundll32 Without a Command Line
- Rundll32 with Suspicious Process Lineage
- Suspicious Export Functionalities - Rundll32
- Application Bypass with RunDLL32 and DllRegisterServer Function