Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Sigma rule (View on GitHub)
1title: Potential Rundll32 Execution With DLL Stored In ADS
2id: 9248c7e1-2bf3-4661-a22c-600a8040b446
3status: test
4description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Rundll32
7author: Harjot Singh, '@cyb3rjy0t'
8date: 2023-01-21
9modified: 2023-02-08
10tags:
11 - attack.defense-evasion
12 - attack.t1564.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\rundll32.exe'
19 - OriginalFileName: 'RUNDLL32.EXE'
20 selection_cli:
21 # Example:
22 # rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
23 # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
24 CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- HackTool Named File Stream Created
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE