DLL Execution via Rasautou.exe

calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
Share on: linkedin copy

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

Sigma rule (View on GitHub)

 1title: DLL Execution via Rasautou.exe
 2id: cd3d1298-eb3b-476c-ac67-12847de55813
 3status: test
 4description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
 7    - https://github.com/fireeye/DueDLLigence
 8    - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
 9author: Julia Fomina, oscd.community
10date: 2020-10-09
11tags:
12    - attack.defense-evasion
13    - attack.t1218
14logsource:
15    product: windows
16    category: process_creation
17    definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
18detection:
19    selection_img:
20        - Image|endswith: '\rasautou.exe'
21        - OriginalFileName: 'rasdlui.exe'
22    selection_cli:
23        CommandLine|contains|all:
24            - ' -d '
25            - ' -p '
26    condition: all of selection*
27falsepositives:
28    - Unlikely
29level: medium

References

Related rules

to-top