Suspicious Advpack Call Via Rundll32.EXE

Apr 1, 2024 · attack.defense_evasion ·

Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function

Sigma rule (View on GitHub)

 1title: Suspicious Advpack Call Via Rundll32.EXE
 2id: a1473adb-5338-4a20-b4c3-126763e2d3d3
 3status: test
 4description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
 5references:
 6    - https://twitter.com/Hexacorn/status/1224848930795552769
 7    - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/05/17
10tags:
11    - attack.defense_evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        - Image|endswith: '\rundll32.exe'
18        - OriginalFileName: 'RUNDLL32.EXE'
19        - CommandLine|contains: 'rundll32'
20    selection_cli_dll:
21        CommandLine|contains: 'advpack'
22    selection_cli_ordinal:
23        - CommandLine|contains|all:
24              - '#+'
25              - '12'
26        - CommandLine|contains: '#-'
27    condition: all of selection_*
28falsepositives:
29    - Unlikely
30level: high

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
Stay positive Lolbins… not!

Update After I posted this, a number of comments on Twitter followed; there was an interesting development from @sixtyvividtails: Old Post This is a quick bit on how to increase a number of availab...

Read More

Suspicious Advpack Call Via Rundll32.EXE

Sigma rule (View on GitHub)

References

Stay positive Lolbins&#8230; not!

Related rules

Stay positive Lolbins… not!