Suspicious Usage Of ShellExec_RunDLL

calendar Aug 12, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack

Sigma rule (View on GitHub)

 1title: Suspicious Usage Of ShellExec_RunDLL
 2id: d87bd452-6da1-456e-8155-7dc988157b7d
 3related:
 4    - id: 36c5146c-d127-4f85-8e21-01bf62355d5a
 5      type: obsolete
 6status: test
 7description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
 8references:
 9    - https://redcanary.com/blog/raspberry-robin/
10    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
11    - https://github.com/SigmaHQ/sigma/issues/1009
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-09-01
14modified: 2022-12-30
15tags:
16    - attack.defense-evasion
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_openasrundll:
22        CommandLine|contains: 'ShellExec_RunDLL'
23    selection_suspcli:
24        CommandLine|contains:
25            # Add more LOLBINs and Susp Paths
26            - 'regsvr32'
27            - 'msiexec'
28            - '\Users\Public\'
29            - 'odbcconf'
30            - '\Desktop\'
31            - '\Temp\'
32            - 'Invoke-'
33            - 'iex'
34            - 'comspec'
35    condition: all of selection_*
36falsepositives:
37    - Unknown
38level: high

References

Related rules

to-top