HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
Sigma rule (View on GitHub)
1title: HackTool - F-Secure C3 Load by Rundll32
2id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
3status: test
4description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
5references:
6 - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
7author: Alfie Champion (ajpc500)
8date: 2021/06/02
9modified: 2023/03/05
10tags:
11 - attack.defense_evasion
12 - attack.t1218.011
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - 'rundll32.exe'
20 - '.dll'
21 - 'StartNodeRelay'
22 condition: selection
23falsepositives:
24 - Unknown
25level: critical
References
-
C3/Src/NodeRelayDll/NodeRelayDll.cpp at 11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef · WithSecureLabs/C3
Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits. - WithSecureLabs/C3
Read More
Related rules
- Suspicious Control Panel DLL Load
- HackTool - RedMimicry Winnti Playbook Execution
- Suspicious Call by Ordinal
- Suspicious Rundll32 Activity Invoking Sys File
- Suspicious Rundll32 Setupapi.dll Activity