Potential Renamed Rundll32 Execution

Aug 12, 2024 · attack.execution ·

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

Sigma rule (View on GitHub)

 1title: Potential Renamed Rundll32 Execution
 2id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed
 3related:
 4    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
 5      type: derived
 6status: test
 7description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
 8references:
 9    - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
10    - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-08-22
13modified: 2023-02-03
14tags:
15    - attack.execution
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains: 'DllRegisterServer'
22    filter:
23        Image|endswith: '\rundll32.exe'
24    condition: selection and not filter
25falsepositives:
26    - Unlikely
27level: high

References

x.com

Read More
Analysis sport.dll (MD5: F99ADAB7B2560097119077B99ACEB40D) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More

Potential Renamed Rundll32 Execution

Sigma rule (View on GitHub)

References

x.com

Analysis sport.dll (MD5: F99ADAB7B2560097119077B99ACEB40D) Malicious activity - Interactive analysis ANY.RUN

Related rules