Suspicious Call by Ordinal

calendar Feb 21, 2023 · attack.defense_evasion attack.t1218.011  ·
Share on: linkedin copy

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

Sigma rule (View on GitHub)

 1title: Suspicious Call by Ordinal
 2id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
 3status: stable
 4description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
 5references:
 6    - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
 7    - https://github.com/Neo23x0/DLLRunner
 8    - https://twitter.com/cyb3rops/status/1186631731543236608
 9    - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
10author: Florian Roth (Nextron Systems)
11date: 2019/10/22
12modified: 2023/02/09
13tags:
14    - attack.defense_evasion
15    - attack.t1218.011
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\rundll32.exe'
22        - OriginalFileName: 'RUNDLL32.EXE'
23    selection_cli:
24        CommandLine|contains:
25            - ',#'
26            - ', #'
27            - '.dll #'  # Sysmon removes , in its log
28            - '.ocx #'  # HermeticWizard
29    filter_edge:
30        CommandLine|contains|all:
31            - 'EDGEHTML.dll'
32            - '#141'
33    filter_vsbuild_dll:
34        ParentImage|contains:
35            - '\Msbuild\Current\Bin\'
36            - '\VC\Tools\MSVC\'
37            - '\Tracker.exe'
38        CommandLine|contains:
39            - '\FileTracker32.dll,#1'
40            - '\FileTracker32.dll",#1'
41            - '\FileTracker64.dll,#1'
42            - '\FileTracker64.dll",#1'
43    condition: all of selection_* and not 1 of filter_*
44falsepositives:
45    - False positives depend on scripts and administrative tools used in the monitored environment
46    - Windows control panel elements have been identified as source (mmc)
47level: high

References

Related rules

to-top