Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
Sigma rule (View on GitHub)
1title: Potential Obfuscated Ordinal Call Via Rundll32
2id: 43fa5350-db63-4b8f-9a01-789a427074e1
3status: test
4description: Detects execution of "rundll32" with potential obfuscated ordinal calls
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-17
9tags:
10 - attack.defense-evasion
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection_img:
16 - Image|endswith: '\rundll32.exe'
17 - OriginalFileName: 'RUNDLL32.EXE'
18 - CommandLine|contains: 'rundll32'
19 selection_cli:
20 CommandLine|contains:
21 - '#+'
22 - '#-'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity