Suspicious Call by Ordinal
Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
Sigma rule (View on GitHub)
1title: Suspicious Call by Ordinal
2id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
3status: stable
4description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
5references:
6 - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
7 - https://github.com/Neo23x0/DLLRunner
8 - https://twitter.com/cyb3rops/status/1186631731543236608
9 - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
10author: Florian Roth (Nextron Systems)
11date: 2019/10/22
12modified: 2023/02/09
13tags:
14 - attack.defense_evasion
15 - attack.t1218.011
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\rundll32.exe'
22 - OriginalFileName: 'RUNDLL32.EXE'
23 selection_cli:
24 CommandLine|contains:
25 - ',#'
26 - ', #'
27 - '.dll #' # Sysmon removes , in its log
28 - '.ocx #' # HermeticWizard
29 filter_edge:
30 CommandLine|contains|all:
31 - 'EDGEHTML.dll'
32 - '#141'
33 filter_vsbuild_dll:
34 ParentImage|contains:
35 - '\Msbuild\Current\Bin\'
36 - '\VC\Tools\MSVC\'
37 - '\Tracker.exe'
38 CommandLine|contains:
39 - '\FileTracker32.dll,#1'
40 - '\FileTracker32.dll",#1'
41 - '\FileTracker64.dll,#1'
42 - '\FileTracker64.dll",#1'
43 condition: all of selection_* and not 1 of filter_*
44falsepositives:
45 - False positives depend on scripts and administrative tools used in the monitored environment
46 - Windows control panel elements have been identified as source (mmc)
47level: high
References
Related rules
- Suspicious Rundll32 Activity Invoking Sys File
- Suspicious Rundll32 Setupapi.dll Activity
- Code Execution via Pcwutl.dll
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Rundll32 with Suspicious Export Functionalities