Potentially Suspicious Rundll32.EXE Execution of UDL File
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Rundll32.EXE Execution of UDL File
2id: 0ea52357-cd59-4340-9981-c46c7e900428
3status: experimental
4description: |
5 Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
6 Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
7references:
8 - https://trustedsec.com/blog/oops-i-udld-it-again
9author: '@kostastsale'
10date: 2024-08-16
11tags:
12 - attack.execution
13 - attack.t1218.011
14 - attack.t1071
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_parent:
20 ParentImage|endswith: '\explorer.exe'
21 selection_img:
22 - Image|endswith: '\rundll32.exe'
23 - OriginalFileName: 'RUNDLL32.EXE'
24 selection_cli:
25 CommandLine|contains|all:
26 - 'oledb32.dll'
27 - ',OpenDSLFile '
28 - '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment.
29 CommandLine|endswith: '.udl'
30 condition: all of selection_*
31falsepositives:
32 - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
33level: medium
References
Related rules
- Suspicious Rundll32 Execution of UDL File
- APT29 2018 Phishing Campaign CommandLine Indicators
- Fireball Archer Install
- HTML Help HH.EXE Suspicious Child Process
- HackTool - RedMimicry Winnti Playbook Execution