Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
Sigma rule (View on GitHub)
1title: Rundll32 UNC Path Execution
2id: 5cdb711b-5740-4fb2-ba88-f7945027afac
3status: test
4description: Detects rundll32 execution where the DLL is located on a remote location (share)
5references:
6 - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-10
9tags:
10 - attack.defense-evasion
11 - attack.execution
12 - attack.t1021.002
13 - attack.t1218.011
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\rundll32.exe'
20 - OriginalFileName: 'RUNDLL32.EXE'
21 - CommandLine|contains: 'rundll32'
22 selection_cli:
23 CommandLine|contains: ' \\\\'
24 condition: all of selection_*
25falsepositives:
26 - Unlikely
27level: high
References
-
Take a deeper dive into an often abused Microsoft-signed tool, the infamous rundll32.exe, which allows adversaries to execute malicious code during their offensive operations through a technique which we explain in detail...
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Fireball Archer Install
- HTML Help HH.EXE Suspicious Child Process
- HackTool - RedMimicry Winnti Playbook Execution
- Kapeka Backdoor Loaded Via Rundll32.EXE