Suspicious Usage Of ShellExec_RunDLL

calendar Dec 1, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack

Sigma rule (View on GitHub)

 1title: Suspicious Usage Of ShellExec_RunDLL
 2id: d87bd452-6da1-456e-8155-7dc988157b7d
 3related:
 4    - id: 36c5146c-d127-4f85-8e21-01bf62355d5a
 5      type: obsolete
 6    - id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
 7      type: similar
 8status: test
 9description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
10references:
11    - https://redcanary.com/blog/raspberry-robin/
12    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
13    - https://github.com/SigmaHQ/sigma/issues/1009
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-09-01
16modified: 2022-12-30
17tags:
18    - attack.defense-evasion
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_openasrundll:
24        CommandLine|contains: 'ShellExec_RunDLL'
25    selection_suspcli:
26        CommandLine|contains:
27            # Note: The ordinal number may differ depending on the DLL version
28            - '\Desktop\'
29            - '\Temp\'
30            - '\Users\Public\'
31            - 'comspec'
32            - 'iex'
33            - 'Invoke-'
34            - 'msiexec'
35            - 'odbcconf'
36            - 'regsvr32'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top