Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
Sigma rule (View on GitHub)
1title: Potential Obfuscated Ordinal Call Via Rundll32
2id: 43fa5350-db63-4b8f-9a01-789a427074e1
3status: test
4description: Detects execution of "rundll32" with potential obfuscated ordinal calls
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/17
9tags:
10 - attack.defense_evasion
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection_img:
16 - Image|endswith: '\rundll32.exe'
17 - OriginalFileName: 'RUNDLL32.EXE'
18 - CommandLine|contains: 'rundll32'
19 selection_cli:
20 CommandLine|contains:
21 - '#+'
22 - '#-'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- Bitsadmin to Uncommon TLD
- Dllhost.EXE Execution Anomaly
- Driver/DLL Installation Via Odbcconf.EXE
- File Download Via Bitsadmin To A Suspicious Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin