Suspicious Rundll32 Execution With Image Extension

Detects the execution of Rundll32.exe with DLL files masquerading as image files

Sigma rule (View on GitHub)

 1title: Suspicious Rundll32 Execution With Image Extension
 2id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec
 3related:
 4    - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
 5      type: similar
 6status: test
 7description: Detects the execution of Rundll32.exe with DLL files masquerading as image files
 8references:
 9    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
10author: Hieu Tran
11date: 2023/03/13
12tags:
13    - attack.defense_evasion
14    - attack.t1218.011
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\rundll32.exe'
21        - OriginalFileName: 'RUNDLL32.exe'
22    selection_cli:
23        CommandLine|contains:
24            - '.bmp'
25            - '.cr2'
26            - '.eps'
27            - '.gif'
28            - '.ico'
29            - '.jpeg'
30            - '.jpg'
31            - '.nef'
32            - '.orf'
33            - '.png'
34            - '.raw'
35            - '.sr2'
36            - '.tif'
37            - '.tiff'
38    condition: all of selection_*
39falsepositives:
40    - Unknown
41level: high

References

Related rules

to-top