Rundll32 Execution With Uncommon DLL Extension

calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.011  ·
Share on: linkedin copy

Detects the execution of rundll32 with a command line that doesn't contain a common extension

Sigma rule (View on GitHub)

 1title: Rundll32 Execution With Uncommon DLL Extension
 2id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
 3status: experimental
 4description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
 5references:
 6    - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 7author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
 8date: 2022-01-13
 9modified: 2024-04-04
10tags:
11    - attack.defense-evasion
12    - attack.t1218.011
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith: '\rundll32.exe'
19        - OriginalFileName: 'RUNDLL32.EXE'
20    filter_main_null:
21        CommandLine: null
22    filter_main_empty:
23        CommandLine: ''
24    filter_main_known_extension:
25        - CommandLine|contains:
26              # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
27              - '.cpl '
28              - '.cpl,'
29              - '.cpl"'
30              - ".cpl'"
31              - '.dll '
32              - '.dll,'
33              - '.dll"'
34              - ".dll'"
35              - '.inf '
36              - '.inf,'
37              - '.inf"'
38              - ".inf'"
39        - CommandLine|endswith:
40              # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
41              - '.cpl'
42              - '.dll'
43              - '.inf'
44    filter_main_localserver:
45        CommandLine|contains: ' -localserver '
46    filter_main_zzzzInvokeManagedCustomActionOutOfProc:
47        ParentImage|endswith: '\msiexec.exe'
48        CommandLine|contains|all:
49            - ':\Windows\Installer\'
50            - '.tmp'
51            - 'zzzzInvokeManagedCustomActionOutOfProc'
52    filter_optional_EdgeUpdate:
53        ParentCommandLine|contains|all:
54            - ':\Users\'
55            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
56            - '\EDGEMITMP_'
57            - '.tmp\setup.exe'
58            - '--install-archive='
59            - '--previous-version='
60            - '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
61    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
62falsepositives:
63    - Unknown
64level: medium

References

Related rules

to-top