Suspicious Control Panel DLL Load
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Sigma rule (View on GitHub)
1title: Suspicious Control Panel DLL Load
2id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
3status: test
4description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
5references:
6 - https://twitter.com/rikvduijn/status/853251879320662017
7 - https://twitter.com/felixw3000/status/853354851128025088
8author: Florian Roth (Nextron Systems)
9date: 2017-04-15
10modified: 2023-02-09
11tags:
12 - attack.defense-evasion
13 - attack.t1218.011
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_parent:
19 ParentImage|endswith: '\System32\control.exe'
20 selection_img:
21 - Image|endswith: '\rundll32.exe'
22 - OriginalFileName: 'RUNDLL32.EXE'
23 filter:
24 CommandLine|contains: 'Shell32.dll'
25 condition: all of selection_* and not filter
26falsepositives:
27 - Unknown
28level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Fireball Archer Install
- Process Access via TrolleyExpress Exclusion
- Suspicious Rundll32 Setupapi.dll Activity
- ZxShell Malware
- Unsigned DLL Loaded by Windows Utility