Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
Sigma rule (View on GitHub)
1title: Potential Obfuscated Ordinal Call Via Rundll32
2id: 43fa5350-db63-4b8f-9a01-789a427074e1
3status: experimental
4description: Detects execution of "rundll32" with potential obfuscated ordinal calls
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/17
9tags:
10 - attack.defense_evasion
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection_img:
16 - Image|endswith: '\rundll32.exe'
17 - OriginalFileName: 'RUNDLL32.EXE'
18 - CommandLine|contains: 'rundll32'
19 selection_cli:
20 CommandLine|contains:
21 - '#+'
22 - '#-'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- LiveKD Driver Creation
- LiveKD Driver Creation By Uncommon Process
- LiveKD Kernel Memory Dump File Created
- Windows Kernel Debugger Execution
- Gootloader JavaScript Execution in AppData Folder (RedCanary Threat Detection Report)