CobaltStrike Load by Rundll32
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
Sigma rule (View on GitHub)
1title: CobaltStrike Load by Rundll32
2id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
3status: test
4description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
5references:
6 - https://www.cobaltstrike.com/help-windows-executable
7 - https://redcanary.com/threat-detection-report/
8 - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
9author: Wojciech Lesicki
10date: 2021/06/01
11modified: 2022/09/16
12tags:
13 - attack.defense_evasion
14 - attack.t1218.011
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_rundll:
20 - Image|endswith: '\rundll32.exe'
21 - OriginalFileName: RUNDLL32.EXE
22 - CommandLine|contains:
23 - 'rundll32.exe'
24 - 'rundll32 '
25 selection_params:
26 CommandLine|contains: '.dll'
27 CommandLine|endswith:
28 - ' StartW'
29 - ',StartW'
30 condition: all of selection*
31falsepositives:
32 - Unknown
33level: high
References
-
Our Threat Detection Report takes a close look at the top techniques, threats, and trends to help security teams focus on what matters most.
Read More -
Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More
Read More
Related rules
- Equation Group DLL_U Export Function Load
- Potential Emotet Rundll32 Execution
- Potentially Suspicious Rundll32 Activity
- Sofacy Trojan Loader Activity
- Process Access via TrolleyExpress Exclusion