Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
Sigma rule (View on GitHub)
1title: Suspicious ShellExec_RunDLL Call Via Ordinal
2id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
3related:
4 - id: d87bd452-6da1-456e-8155-7dc988157b7d
5 type: derived
6status: test
7description: |
8 Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
9 Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
10references:
11 - https://redcanary.com/blog/raspberry-robin/
12 - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
13 - https://github.com/SigmaHQ/sigma/issues/1009
14 - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
15author: Swachchhanda Shrawan Poudel
16date: 2024-12-01
17tags:
18 - attack.defense-evasion
19 - attack.t1218.011
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_parent_img:
25 ParentCommandLine|contains: 'SHELL32.DLL'
26 selection_parent_ordinal:
27 ParentCommandLine|contains:
28 # Note: The ordinal number may differ depending on the DLL version
29 # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
30 - '#568'
31 - '#570'
32 - '#572'
33 - '#576'
34 selection_susp_cli_parent:
35 # Note: Add additional binaries and suspicious paths to increase coverage
36 - ParentCommandLine|contains:
37 - 'comspec'
38 - 'iex'
39 - 'Invoke-'
40 - 'msiexec'
41 - 'odbcconf'
42 - 'regsvr32'
43 - ParentCommandLine|contains:
44 - '\Desktop\'
45 - '\ProgramData\'
46 - '\Temp\'
47 - '\Users\Public\'
48 selection_susp_child_img:
49 Image|endswith:
50 - '\bash.exe'
51 - '\bitsadmin.exe'
52 - '\cmd.exe'
53 - '\cscript.exe'
54 - '\curl.exe'
55 - '\mshta.exe'
56 - '\msiexec.exe'
57 - '\msxsl.exe'
58 - '\odbcconf.exe'
59 - '\powershell.exe'
60 - '\pwsh.exe'
61 - '\regsvr32.exe'
62 - '\schtasks.exe'
63 - '\wmic.exe'
64 - '\wscript.exe'
65 condition: all of selection_parent_* and 1 of selection_susp_*
66falsepositives:
67 - Unknown
68level: high
References
Related rules
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Rundll32 UNC Path Execution
- Kapeka Backdoor Execution Via RunDLL32.EXE
- Kapeka Backdoor Loaded Via Rundll32.EXE