Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Sigma rule (View on GitHub)
1title: Suspicious Rundll32 Invoking Inline VBScript
2id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
3status: test
4description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
5references:
6 - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
7author: Florian Roth (Nextron Systems)
8date: 2021/03/05
9modified: 2022/10/09
10tags:
11 - attack.defense_evasion
12 - attack.t1055
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - 'rundll32.exe'
20 - 'Execute'
21 - 'RegRead'
22 - 'window.close'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- HackTool - DInjector PowerShell Cradle Execution
- Suspicious Userinit Child Process
- ETW Logging Tamper In .NET Processes
- Execute From Alternate Data Streams
- Format.com FileSystem LOLBIN