Suspicious Rundll32 Execution With Image Extension
Detects the execution of Rundll32.exe with DLL files masquerading as image files
Sigma rule (View on GitHub)
1title: Suspicious Rundll32 Execution With Image Extension
2id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec
3related:
4 - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
5 type: similar
6status: test
7description: Detects the execution of Rundll32.exe with DLL files masquerading as image files
8references:
9 - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
10author: Hieu Tran
11date: 2023/03/13
12tags:
13 - attack.defense_evasion
14 - attack.t1218.011
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\rundll32.exe'
21 - OriginalFileName: 'RUNDLL32.exe'
22 selection_cli:
23 CommandLine|contains:
24 - '.bmp'
25 - '.cr2'
26 - '.eps'
27 - '.gif'
28 - '.ico'
29 - '.jpeg'
30 - '.jpg'
31 - '.nef'
32 - '.orf'
33 - '.png'
34 - '.raw'
35 - '.sr2'
36 - '.tif'
37 - '.tiff'
38 condition: all of selection_*
39falsepositives:
40 - Unknown
41level: high
References
Related rules
- Remote Thread Creation Via PowerShell In Uncommon Target
- Rhadamanthys Stealer Module Launch Via Rundll32.EXE
- Rundll32 InstallScreenSaver Execution
- Shell32 DLL Execution in Suspicious Directory
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments