DLL Execution via Rasautou.exe
Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
Sigma rule (View on GitHub)
1title: DLL Execution via Rasautou.exe
2id: cd3d1298-eb3b-476c-ac67-12847de55813
3status: test
4description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
7 - https://github.com/fireeye/DueDLLigence
8 - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
9author: Julia Fomina, oscd.community
10date: 2020/10/09
11tags:
12 - attack.defense_evasion
13 - attack.t1218
14logsource:
15 product: windows
16 category: process_creation
17 definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
18detection:
19 selection_img:
20 - Image|endswith: '\rasautou.exe'
21 - OriginalFileName: 'rasdlui.exe'
22 selection_cli:
23 CommandLine|contains|all:
24 - ' -d '
25 - ' -p '
26 condition: all of selection*
27falsepositives:
28 - Unlikely
29level: medium
References
-
-
-
True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the system. As ...
Read More
Related rules
- Indirect Command Execution By Program Compatibility Wizard
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Verclsid.exe Runs COM Object
- Time Travel Debugging Utility Usage
- Bypass UAC via CMSTP