Suspicious Rundll32 Script in CommandLine

Detects suspicious process related to rundll32 based on arguments

Sigma rule (View on GitHub)

 1title: Suspicious Rundll32 Script in CommandLine
 2id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
 3status: test
 4description: Detects suspicious process related to rundll32 based on arguments
 5references:
 6    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
 7    - https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md
 8author: frack113, Zaw Min Htun (ZETA)
 9date: 2021/12/04
10modified: 2023/02/03
11tags:
12    - attack.defense_evasion
13    - attack.t1218.011
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection1:
19        CommandLine|contains: 'rundll32'
20    selection2:
21        CommandLine|contains:
22            - 'mshtml,RunHTMLApplication'
23            - 'mshtml,#135'
24    selection3:
25        CommandLine|contains:
26            - 'javascript:'
27            - 'vbscript:'
28    condition: all of selection*
29falsepositives:
30    - False positives depend on scripts and administrative tools used in the monitored environment
31level: medium

References

Related rules

to-top