Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Sigma rule (View on GitHub)
1title: Suspicious Rundll32 Invoking Inline VBScript
2id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
3status: test
4description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
5references:
6 - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
7author: Florian Roth (Nextron Systems)
8date: 2021-03-05
9modified: 2022-10-09
10tags:
11 - attack.privilege-escalation
12 - attack.defense-evasion
13 - attack.t1055
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'rundll32.exe'
21 - 'Execute'
22 - 'RegRead'
23 - 'window.close'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP.
Read More
Related rules
- Created Files by Microsoft Sync Center
- Dllhost.EXE Execution Anomaly
- DotNet CLR DLL Loaded By Scripting Applications
- HackTool - DInjector PowerShell Cradle Execution
- Injected Browser Process Spawning Rundll32 - GuLoader Activity