HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
Sigma rule (View on GitHub)
1title: HackTool - F-Secure C3 Load by Rundll32
2id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
3status: test
4description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
5references:
6 - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
7author: Alfie Champion (ajpc500)
8date: 2021-06-02
9modified: 2023-03-05
10tags:
11 - attack.defense-evasion
12 - attack.t1218.011
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - 'rundll32.exe'
20 - '.dll'
21 - 'StartNodeRelay'
22 condition: selection
23falsepositives:
24 - Unknown
25level: critical
References
-
C3/Src/NodeRelayDll/NodeRelayDll.cpp at 11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef · WithSecureLabs/C3
Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits. - WithSecureLabs/C3
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- Equation Group DLL_U Export Function Load