Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Sigma rule (View on GitHub)
1title: Suspicious Rundll32 Activity Invoking Sys File
2id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
3status: test
4description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
5references:
6 - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
7author: Florian Roth (Nextron Systems)
8date: 2021-03-05
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.t1218.011
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection1:
18 CommandLine|contains: 'rundll32.exe'
19 selection2:
20 CommandLine|contains:
21 - '.sys,'
22 - '.sys '
23 condition: all of selection*
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- Equation Group DLL_U Export Function Load