Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Sigma rule (View on GitHub)
1title: Potentially Suspicious Rundll32 Activity
2id: e593cf51-88db-4ee1-b920-37e89012a3c9
3status: test
4description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
5references:
6 - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
7 - https://twitter.com/Hexacorn/status/885258886428725250
8 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
9 - https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut
10 - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib
11 - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen
12author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
13date: 2019-01-16
14modified: 2023-05-17
15tags:
16 - attack.defense-evasion
17 - attack.t1218.011
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 - CommandLine|contains|all:
24 - 'javascript:'
25 - '.RegisterXLL'
26 - CommandLine|contains|all:
27 - 'url.dll'
28 - 'OpenURL'
29 - CommandLine|contains|all:
30 - 'url.dll'
31 - 'OpenURLA'
32 - CommandLine|contains|all:
33 - 'url.dll'
34 - 'FileProtocolHandler'
35 - CommandLine|contains|all:
36 - 'zipfldr.dll'
37 - 'RouteTheCall'
38 - CommandLine|contains|all:
39 - 'shell32.dll'
40 - 'Control_RunDLL'
41 - CommandLine|contains|all:
42 - 'shell32.dll'
43 - 'ShellExec_RunDLL'
44 - CommandLine|contains|all:
45 - 'mshtml.dll'
46 - 'PrintHTML'
47 - CommandLine|contains|all:
48 - 'advpack.dll'
49 - 'LaunchINFSection'
50 - CommandLine|contains|all:
51 - 'advpack.dll'
52 - 'RegisterOCX'
53 - CommandLine|contains|all:
54 - 'ieadvpack.dll'
55 - 'LaunchINFSection'
56 - CommandLine|contains|all:
57 - 'ieadvpack.dll'
58 - 'RegisterOCX'
59 - CommandLine|contains|all:
60 - 'ieframe.dll'
61 - 'OpenURL'
62 - CommandLine|contains|all:
63 - 'shdocvw.dll'
64 - 'OpenURL'
65 - CommandLine|contains|all:
66 - 'syssetup.dll'
67 - 'SetupInfObjectInstallAction'
68 - CommandLine|contains|all:
69 - 'setupapi.dll'
70 - 'InstallHinfSection'
71 - CommandLine|contains|all:
72 - 'pcwutl.dll'
73 - 'LaunchApplication'
74 - CommandLine|contains|all:
75 - 'dfshim.dll'
76 - 'ShOpenVerbApplication'
77 - CommandLine|contains|all:
78 - 'dfshim.dll'
79 - 'ShOpenVerbShortcut'
80 - CommandLine|contains|all:
81 - 'scrobj.dll'
82 - 'GenerateTypeLib'
83 - 'http'
84 - CommandLine|contains|all:
85 - 'shimgvw.dll'
86 - 'ImageView_Fullscreen'
87 - 'http'
88 - CommandLine|contains|all:
89 - 'comsvcs.dll'
90 - 'MiniDump'
91 filter_main_screensaver:
92 CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
93 filter_main_parent_cpl: # Settings
94 ParentImage: 'C:\Windows\System32\control.exe'
95 ParentCommandLine|contains: '.cpl'
96 CommandLine|contains|all:
97 - 'Shell32.dll'
98 - 'Control_RunDLL'
99 - '.cpl'
100 filter_main_startmenu:
101 ParentImage: 'C:\Windows\System32\control.exe'
102 CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
103 CommandLine|endswith: '.cpl",'
104 condition: selection and not 1 of filter_main_*
105falsepositives:
106 - False positives depend on scripts and administrative tools used in the monitored environment
107level: medium
References
-
The parent-child process relationship is very helpful when it comes to defining detection rules and watchlists. For instance, anytime a winword.exe spawns a cmd.exe, powershell.exe, cscript.exe, ws...
Read More -
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method - ExcelXLL.md
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- Equation Group DLL_U Export Function Load