Rundll32 Spawned Via Explorer.EXE
Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
Sigma rule (View on GitHub)
1title: Rundll32 Spawned Via Explorer.EXE
2id: 1723e720-616d-4ddc-ab02-f7e3685a4713
3status: experimental
4description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
5references:
6 - https://redcanary.com/blog/raspberry-robin/
7 - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
8author: CD_ROM_
9date: 2022/05/21
10modified: 2023/08/31
11tags:
12 - attack.defense_evasion
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_parent:
18 ParentImage|endswith: '\explorer.exe'
19 selection_img:
20 - Image|endswith: '\rundll32.exe'
21 - OriginalFileName: 'RUNDLL32.EXE'
22 filter_main_generic:
23 - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
24 - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control
25 condition: all of selection_* and not 1 of filter_main_*
26falsepositives:
27 - Unknown
28level: medium
References
-
Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.
Read More -
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. … Read More
Read More
Related rules
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
- Old TLS1.0/TLS1.1 Protocol Version Enabled
- VMMap Signed Dbghelp.DLL Potential Sideloading