Gamarue Rundll32.exe Long Commandlines
Fortunately for defenders, Gamarue is detectable with endpoint telemetry. The majority of Gamarue activity we see involves rundll32.exe executing with unusual command lines that include long filenames with repeating characters and random function names. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Gamarue Rundll32.exe Long Commandlines
2id: 66fa7a57-1c53-42e1-9e5c-e9a1f5e62784
3status: experimental
4description: |
5 Fortunately for defenders, Gamarue is detectable with endpoint telemetry. The majority
6 of Gamarue activity we see involves rundll32.exe executing with unusual command lines
7 that include long filenames with repeating characters and random function names. Part
8 of the RedCanary 2024 Threat Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/threats/gamarue/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.defense_evasion
15 - attack.t1027
16 - attack.t1027.010
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 CommandLine|re: .*\S{10,70}\.\S{10,70},\w{16}
23 condition: selection
24falsepositives:
25 - Unknown
26level: low```
References
-
More than five years after a major disruption, Gamarue is still worming around, often spreading dangerous payloads.
Read More
Related rules
- Base64 Encoding
- Obfuscated Commands - Command Shell
- Obfuscation and Escape Characters - Powershell
- PowerShell -encodedcommand Switch
- PowerShell Base64 Encoding