Remote DLL Load Via Rundll32.EXE

 1title: Remote DLL Load Via Rundll32.EXE
 2id: f40017b3-cb2e-4335-ab5d-3babf679c1de
 3status: test
 4description: Detects a remote DLL load event via "rundll32.exe".
 5references:
 6    - https://github.com/gabe-k/themebleed
 7    - Internal Research
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-09-18
10tags:
11    - attack.execution
12    - attack.t1204.002
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\rundll32.exe'
19        ImageLoaded|startswith: '\\\\'
20    condition: selection
21falsepositives:
22    - Unknown
23level: medium

References

• GitHub - exploits-forsale/themebleed: Proof-of-Concept for CVE-2023-38146 ("ThemeBleed")

  

  Proof-of-Concept for CVE-2023-38146 ("ThemeBleed") - exploits-forsale/themebleed

  
  Read More

• Internal Research

  
  Read More

Related rules

• Active Directory Kerberos DLL Loaded Via Office Application
• Active Directory Parsing DLL Loaded Via Office Application
• CLR DLL Loaded Via Office Applications
• DotNET Assembly DLL Loaded Via Office Application
• Download From Suspicious TLD - Blacklist