Suspicious Export Functionalities - Rundll32

 1title: Suspicious Export Functionalities - Rundll32
 2id: 705d6f7b-779f-41c5-9994-8b191094577b
 3status: experimental
 4description: |
 5    Consider monitoring for instances of rundll32.exe running Windows 
 6    native DLLs that have export functionalities that adversaries commonly 
 7    leverage for executing malicious code and evading defensive controls. 
 8    The following pseudo-analytic applies specifically to adversaries who 
 9    use the MiniDump export functionality of comsvcs.dll to dump the 
10    contents of LSASS, but this logic could be adapted to detect other 
11    malicious activity as well. Part of the RedCanary 2024 Threat Detection 
12    Report.    
13references:
14    - https://redcanary.com/threat-detection-report/techniques/rundll32/
15author: RedCanary, Sigma formatting by Micah Babinski
16date: 2024/03/21
17tags:
18    - attack.defense_evasion
19    - attack.t1218
20    - attack.t1218.011
21    - attack.credential_access
22    - attack.t1003
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection1:
28        Image|endswith: '\rundll32.exe'
29    selection2:
30        CommandLine|contains: 'comsvcs.dll'
31    selection3:
32        CommandLine|contains:
33            - 'MiniDump'
34            - '#24'
35    condition: all of selection*
36falsepositives:
37    - Unknown
38level: low```