Suspicious ShellExec_RunDLL Call Via Ordinal

 1title: Suspicious ShellExec_RunDLL Call Via Ordinal
 2id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
 3related:
 4    - id: d87bd452-6da1-456e-8155-7dc988157b7d
 5      type: derived
 6status: test
 7description: |
 8    Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
 9    Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.    
10references:
11    - https://redcanary.com/blog/raspberry-robin/
12    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
13    - https://github.com/SigmaHQ/sigma/issues/1009
14    - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
15author: Swachchhanda Shrawan Poudel
16date: 2024-12-01
17tags:
18    - attack.defense-evasion
19    - attack.t1218.011
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_parent_img:
25        ParentCommandLine|contains: 'SHELL32.DLL'
26    selection_parent_ordinal:
27        ParentCommandLine|contains:
28            # Note: The ordinal number may differ depending on the DLL version
29            # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
30            - '#568'
31            - '#570'
32            - '#572'
33            - '#576'
34    selection_susp_cli_parent:
35        # Note: Add additional binaries and suspicious paths to increase coverage
36        - ParentCommandLine|contains:
37              - 'comspec'
38              - 'iex'
39              - 'Invoke-'
40              - 'msiexec'
41              - 'odbcconf'
42              - 'regsvr32'
43        - ParentCommandLine|contains:
44              - '\Desktop\'
45              - '\ProgramData\'
46              - '\Temp\'
47              - '\Users\Public\'
48    selection_susp_child_img:
49        Image|endswith:
50            - '\bash.exe'
51            - '\bitsadmin.exe'
52            - '\cmd.exe'
53            - '\cscript.exe'
54            - '\curl.exe'
55            - '\mshta.exe'
56            - '\msiexec.exe'
57            - '\msxsl.exe'
58            - '\odbcconf.exe'
59            - '\powershell.exe'
60            - '\pwsh.exe'
61            - '\regsvr32.exe'
62            - '\schtasks.exe'
63            - '\wmic.exe'
64            - '\wscript.exe'
65    condition: all of selection_parent_* and 1 of selection_susp_*
66falsepositives:
67    - Unknown
68level: high

References

• Raspberry Robin gets the worm early

  

  Raspberry Robin is a worm spread by external drives that leverages Windows Installer to download a malicious DLL.

  
  Read More

• Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity | Microsoft Security Blog

  

  Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread.

  
  Read More

• Invoke-Obfuscation · Issue #1009 · SigmaHQ/sigma

  

  Summary Tool: Invoke-Obfuscation — PowerShell command and script obfuscation framework Author: Daniel Bohannon, @danielhbohannon Type: Offensive tool, threat simulation Materials: The Invoke-Obfusc...

  
  Read More

• shell32.dll | Windows Shell Common Dll

  What is shell32.dll?

  
  Read More

Related rules

• Bad Opsec Defaults Sacrificial Processes With Improper Arguments
• Potentially Suspicious Rundll32.EXE Execution of UDL File
• Rundll32 UNC Path Execution
• Kapeka Backdoor Execution Via RunDLL32.EXE
• Kapeka Backdoor Loaded Via Rundll32.EXE