Suspicious Rundll32 Execution With Image Extension
Detects the execution of Rundll32.exe with DLL files masquerading as image files
Sigma rule (View on GitHub)
1title: Suspicious Rundll32 Execution With Image Extension
2id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec
3related:
4 - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
5 type: similar
6status: test
7description: Detects the execution of Rundll32.exe with DLL files masquerading as image files
8references:
9 - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
10author: Hieu Tran
11date: 2023-03-13
12tags:
13 - attack.defense-evasion
14 - attack.t1218.011
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\rundll32.exe'
21 - OriginalFileName: 'RUNDLL32.exe'
22 selection_cli:
23 CommandLine|contains:
24 - '.bmp'
25 - '.cr2'
26 - '.eps'
27 - '.gif'
28 - '.ico'
29 - '.jpeg'
30 - '.jpg'
31 - '.nef'
32 - '.orf'
33 - '.png'
34 - '.raw'
35 - '.sr2'
36 - '.tif'
37 - '.tiff'
38 condition: all of selection_*
39falsepositives:
40 - Unknown
41level: high
References
-
Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- Equation Group DLL_U Export Function Load