Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Sigma rule (View on GitHub)
1title: Suspicious Usage Of ShellExec_RunDLL
2id: d87bd452-6da1-456e-8155-7dc988157b7d
3related:
4 - id: 36c5146c-d127-4f85-8e21-01bf62355d5a
5 type: obsoletes
6status: test
7description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
8references:
9 - https://redcanary.com/blog/raspberry-robin/
10 - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
11 - https://github.com/SigmaHQ/sigma/issues/1009
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/09/01
14modified: 2022/12/30
15tags:
16 - attack.defense_evasion
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_openasrundll:
22 CommandLine|contains: 'ShellExec_RunDLL'
23 selection_suspcli:
24 CommandLine|contains:
25 # Add more LOLBINs and Susp Paths
26 - 'regsvr32'
27 - 'msiexec'
28 - '\Users\Public\'
29 - 'odbcconf'
30 - '\Desktop\'
31 - '\Temp\'
32 - 'Invoke-'
33 - 'iex'
34 - 'comspec'
35 condition: all of selection_*
36falsepositives:
37 - Unknown
38level: high
References
-
Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.
Read More -
Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...
Read More
Related rules
- AgentExecutor PowerShell Execution
- Change User Account Associated with the FAX Service
- Change the Fax Dll
- Exchange PowerShell Cmdlet History Deleted
- ImagingDevices Unusual Parent/Child Processes