Potential Renamed Rundll32 Execution
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Sigma rule (View on GitHub)
1title: Potential Renamed Rundll32 Execution
2id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed
3related:
4 - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
5 type: derived
6status: test
7description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
8references:
9 - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
10 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/08/22
13modified: 2023/02/03
14tags:
15 - attack.execution
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains: 'DllRegisterServer'
22 filter:
23 Image|endswith: '\rundll32.exe'
24 condition: selection and not filter
25falsepositives:
26 - Unlikely
27level: high
References
Related rules
- Clipboard Data Collection Via OSAScript
- Enable BPF Kprobes Tracing
- Fsutil Behavior Set SymlinkEvaluation
- Import PowerShell Modules From Suspicious Directories
- Import PowerShell Modules From Suspicious Directories - ProcCreation