Remote DLL Load Via Rundll32.EXE

calendar Oct 4, 2023 · attack.execution attack.t1204.002  ·
Share on: linkedin copy

Detects a remote DLL load event via "rundll32.exe".

Sigma rule (View on GitHub)

 1title: Remote DLL Load Via Rundll32.EXE
 2id: f40017b3-cb2e-4335-ab5d-3babf679c1de
 3status: experimental
 4description: Detects a remote DLL load event via "rundll32.exe".
 5references:
 6    - https://github.com/gabe-k/themebleed
 7    - Internal Research
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/09/18
10tags:
11    - attack.execution
12    - attack.t1204.002
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\rundll32.exe'
19        ImageLoaded|startswith: '\\\\'
20    condition: selection
21falsepositives:
22    - Unknown
23level: medium

References

Related rules

to-top