Suspicious Control Panel DLL Load
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Sigma rule (View on GitHub)
1title: Suspicious Control Panel DLL Load
2id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
3status: test
4description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
5references:
6 - https://twitter.com/rikvduijn/status/853251879320662017
7 - https://twitter.com/felixw3000/status/853354851128025088
8author: Florian Roth (Nextron Systems)
9date: 2017-04-15
10modified: 2023-02-09
11tags:
12 - attack.defense-evasion
13 - attack.t1218.011
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_parent:
19 ParentImage|endswith: '\System32\control.exe'
20 selection_img:
21 - Image|endswith: '\rundll32.exe'
22 - OriginalFileName: 'RUNDLL32.EXE'
23 filter:
24 CommandLine|contains: 'Shell32.dll'
25 condition: all of selection_* and not filter
26fields:
27 - CommandLine
28 - ParentCommandLine
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- Equation Group DLL_U Export Function Load