Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Sigma rule (View on GitHub)
1title: Potential Rundll32 Execution With DLL Stored In ADS
2id: 9248c7e1-2bf3-4661-a22c-600a8040b446
3status: test
4description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Rundll32
7author: Harjot Singh, '@cyb3rjy0t'
8date: 2023-01-21
9modified: 2023-02-08
10tags:
11 - attack.defense-evasion
12 - attack.t1564.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\rundll32.exe'
19 - OriginalFileName: 'RUNDLL32.EXE'
20 selection_cli:
21 # Example:
22 # rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
23 # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
24 CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: high
References
-
Rundll32.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE
- NTFS Alternate Data Stream