Unsigned DLL Loaded by RunDLL32/RegSvr32

Detects RunDLL32/RegSvr32 loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

Sigma rule (View on GitHub)

 1title: Unsigned DLL Loaded by RunDLL32/RegSvr32
 2id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
 3status: experimental
 4description: |
 5    Detects RunDLL32/RegSvr32 loading an unsigned or untrusted DLL.
 6    Adversaries often abuse those programs to proxy execution of malicious code.    
 7references:
 8    - https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
 9    - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
10    - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
11author: Swachchhanda Shrawan Poudel
12date: 2024/01/22
13tags:
14    - attack.t1218.011
15    - attack.t1218.010
16    - attack.defense_evasion
17logsource:
18    product: windows
19    category: image_load
20detection:
21    selection:
22        Image|endswith:
23            # Note: Add additional utilities that allow the loading of DLLs
24            - '\regsvr32.exe'
25            - '\rundll32.exe'
26    filter_main_signed:
27        - Signed: 'true'
28        - SignatureStatus:
29              - 'errorChaining'
30              - 'errorCode_endpoint'
31              - 'errorExpired'
32              - 'trusted'
33    condition: selection and not 1 of filter_main_*
34falsepositives:
35    - Unknown
36level: medium

References

Related rules

to-top