TAIDOOR RAT DLL Load

Oct 23, 2025 · attack.privilege-escalation attack.defense-evasion attack.execution attack.t1055.001 detection.emerging-threats ·

Share on:

Detects specific process characteristics of Chinese TAIDOOR RAT malware load

Sigma rule (View on GitHub)

 1title: TAIDOOR RAT DLL Load
 2id: d1aa3382-abab-446f-96ea-4de52908210b
 3status: test
 4description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
 5references:
 6    - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 7author: Florian Roth (Nextron Systems)
 8date: 2020-07-30
 9modified: 2021-11-27
10tags:
11    - attack.privilege-escalation
12    - attack.defense-evasion
13    - attack.execution
14    - attack.t1055.001
15    - detection.emerging-threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection1:
21        CommandLine|contains:
22            - 'dll,MyStart'
23            - 'dll MyStart'
24    selection2a:
25        CommandLine|endswith: ' MyStart'
26    selection2b:
27        CommandLine|contains: 'rundll32.exe'
28    condition: selection1 or ( selection2a and selection2b )
29falsepositives:
30    - Unknown
31level: high

References

MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR | CISA

Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contain...

Read More

TAIDOOR RAT DLL Load

Sigma rule (View on GitHub)

References

MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR | CISA

Related rules