Potential Obfuscated Ordinal Call Via Rundll32

 1title: Potential Obfuscated Ordinal Call Via Rundll32
 2id: 43fa5350-db63-4b8f-9a01-789a427074e1
 3status: test
 4description: Detects execution of "rundll32" with potential obfuscated ordinal calls
 5references:
 6    - Internal Research
 7    - https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
 8author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
 9date: 2023-05-17
10modified: 2025-02-23
11tags:
12    - attack.defense-evasion
13    - attack.t1027.010
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\rundll32.exe'
20        - OriginalFileName: 'RUNDLL32.EXE'
21        - CommandLine|contains: 'rundll32'
22    selection_cli:
23        CommandLine|contains:
24            - '#+'
25            - '#-'
26            # ordinal can be represented by adding any number of zeros in front ordinal number, for e.g. 000000024
27            - '#0'
28            # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.
29            # for e.g ordinal 24 can be also represented by 65560 (65536+24)
30            - '#655'
31            - '#656'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: medium

References

• Internal Research

  
  Read More

• YouTube

  

  Share your videos with friends, family, and the world

  
  Read More

Related rules

• Process Memory Dump Via Comsvcs.DLL
• Potentially Suspicious WDAC Policy File Creation
• Change Winevt Channel Access Permission Via Registry
• Disable Windows Event Logging Via Registry
• Displaying Hidden Files Feature Disabled