CobaltStrike Load by Rundll32

 1title: CobaltStrike Load by Rundll32
 2id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
 3status: test
 4description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
 5references:
 6    - https://www.cobaltstrike.com/help-windows-executable
 7    - https://redcanary.com/threat-detection-report/
 8    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
 9author: Wojciech Lesicki
10date: 2021-06-01
11modified: 2022-09-16
12tags:
13    - attack.defense-evasion
14    - attack.t1218.011
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_rundll:
20        - Image|endswith: '\rundll32.exe'
21        - OriginalFileName: RUNDLL32.EXE
22        - CommandLine|contains:
23              - 'rundll32.exe'
24              - 'rundll32 '
25    selection_params:
26        CommandLine|contains: '.dll'
27        CommandLine|endswith:
28            - ' StartW'
29            - ',StartW'
30    condition: all of selection*
31falsepositives:
32    - Unknown
33level: high

References

• 
  Read More

• Welcome to the Red Canary 2024 Threat Detection Report

  

  Our Threat Detection Report takes a close look at the top techniques, threats, and trends to help security teams focus on what matters most.

  
  Read More

• Ryuk in 5 Hours

  

  Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial phish. T…

  
  Read More

Related rules

• APT29 2018 Phishing Campaign CommandLine Indicators
• APT29 2018 Phishing Campaign File Indicators
• Code Execution via Pcwutl.dll
• Equation Group DLL_U Export Function Load
• EvilNum APT Golden Chickens Deployment Via OCX Files