Suspicious Workstation Locking via Rundll32

Jan 1, 2024 · attack.defense_evasion ·

Detects a suspicious call to the user32.dll function that locks the user workstation

Sigma rule (View on GitHub)

 1title: Suspicious Workstation Locking via Rundll32
 2id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc
 3status: test
 4description: Detects a suspicious call to the user32.dll function that locks the user workstation
 5references:
 6    - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/
 7author: frack113
 8date: 2022/06/04
 9modified: 2023/02/09
10tags:
11    - attack.defense_evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_call_img:
17        - Image|endswith: '\rundll32.exe'
18        - OriginalFileName: 'RUNDLL32.EXE'
19    selection_call_parent:
20        ParentImage|endswith: '\cmd.exe'
21    selection_call_cli:
22        CommandLine|contains: 'user32.dll,'
23    selection_function:
24        CommandLine|contains: 'LockWorkStation'
25    condition: all of selection_*
26fields:
27    - Image
28    - ParentImage
29falsepositives:
30    - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option
31level: medium

References

Analysis hydroxide.cmd (MD5: 46F64C63D63816C0511FE51198993BE7) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More

Suspicious Workstation Locking via Rundll32

Sigma rule (View on GitHub)

References

Analysis hydroxide.cmd (MD5: 46F64C63D63816C0511FE51198993BE7) Malicious activity - Interactive analysis ANY.RUN

Related rules