Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Sigma rule (View on GitHub)
1title: Potential Rundll32 Execution With DLL Stored In ADS
2id: 9248c7e1-2bf3-4661-a22c-600a8040b446
3status: test
4description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Rundll32
7author: Harjot Singh, '@cyb3rjy0t'
8date: 2023/01/21
9modified: 2023/02/08
10tags:
11 - attack.defense_evasion
12 - attack.t1564.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\rundll32.exe'
19 - OriginalFileName: 'RUNDLL32.EXE'
20 selection_cli:
21 # Example:
22 # rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
23 # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
24 CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Unusual File Download from Direct IP Address
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Use NTFS Short Name in Command Line
- Use Short Name Path in Command Line
- PrintBrm ZIP Creation of Extraction