Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. This detects use of the same DLL to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report.
Detects instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. Inspired by the 2022 Red Canary Threat Detection report.