Potential ShellDispatch.DLL Functionality Abuse
Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
Sigma rule (View on GitHub)
1title: Potential ShellDispatch.DLL Functionality Abuse
2id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9
3status: test
4description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
5references:
6 - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
7author: X__Junior (Nextron Systems)
8date: 2023/06/20
9tags:
10 - attack.execution
11 - attack.defense_evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith: '\rundll32.exe'
18 - OriginalFileName: 'RUNDLL32.EXE'
19 selection_cli:
20 CommandLine|contains: 'RunDll_ShellExecuteW'
21 condition: all of selection_*
22falsepositives:
23 - Unlikely
24level: medium
References
-
I have written about Nullsoft installer a few times before. I am a bit fascinated by it, because there is not that much research about it, in general, and even less – about its esoteric, yet omnipr...
Read More
Related rules
- Potential Adplus.EXE Abuse
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Potentially Suspicious Child Process Of ClickOnce Application
- UNC4841 - Barracuda ESG Exploitation Indicators
- UNC4841 - Email Exfiltration File Pattern