Potentially Suspicious Rundll32.EXE Execution of UDL File

 1title: Potentially Suspicious Rundll32.EXE Execution of UDL File
 2id: 0ea52357-cd59-4340-9981-c46c7e900428
 3status: experimental
 4description: |
 5    Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
 6    Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.    
 7references:
 8    - https://trustedsec.com/blog/oops-i-udld-it-again
 9author: '@kostastsale'
10date: 2024-08-16
11tags:
12    - attack.defense-evasion
13    - attack.execution
14    - attack.command-and-control
15    - attack.t1218.011
16    - attack.t1071
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_parent:
22        ParentImage|endswith: '\explorer.exe'
23    selection_img:
24        - Image|endswith: '\rundll32.exe'
25        - OriginalFileName: 'RUNDLL32.EXE'
26    selection_cli:
27        CommandLine|contains|all:
28            - 'oledb32.dll'
29            - ',OpenDSLFile '
30            - '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment.
31        CommandLine|endswith: '.udl'
32    condition: all of selection_*
33falsepositives:
34    - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
35level: medium