Shell32 DLL Execution in Suspicious Directory

Jan 1, 2024 · attack.defense_evasion attack.execution attack.t1218.011 ·

Detects shell32.dll executing a DLL in a suspicious directory

Sigma rule (View on GitHub)

 1title: Shell32 DLL Execution in Suspicious Directory
 2id: 32b96012-7892-429e-b26c-ac2bf46066ff
 3status: test
 4description: Detects shell32.dll executing a DLL in a suspicious directory
 5references:
 6    - https://www.group-ib.com/resources/threat-research/red-curl-2.html
 7author: Christian Burkard (Nextron Systems)
 8date: 2021/11/24
 9modified: 2023/02/09
10tags:
11    - attack.defense_evasion
12    - attack.execution
13    - attack.t1218.011
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\rundll32.exe'
20        - OriginalFileName: 'RUNDLL32.EXE'
21    selection_cli:
22        CommandLine|contains|all:
23            - 'shell32.dll'
24            - 'Control_RunDLL'
25        CommandLine|contains:
26            - '%AppData%'
27            - '%LocalAppData%'
28            - '%Temp%'
29            - '%tmp%'
30            - '\AppData\'
31            - '\Temp\'
32            - '\Users\Public\'
33    condition: all of selection_*
34falsepositives:
35    - Unknown
36level: high

References

https://www.group-ib.com/resources/threat-research/red-curl-2.html

Read More

Shell32 DLL Execution in Suspicious Directory

Sigma rule (View on GitHub)

References

https://www.group-ib.com/resources/threat-research/red-curl-2.html

Related rules