Injected Browser Process Spawning Rundll32

calendar Aug 8, 2023 · attack.defense_evasion attack.T1055  ·
Share on: linkedin copy

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Sigma rule (View on GitHub)

 1title: Injected Browser Process Spawning Rundll32 
 2description: Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
 3status: experimental
 4date: 2023/08/07
 5author: \@kostastsale
 6references:
 7    - 
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        ParentImage|endswith: 
14          - '\msedge.exe'
15          - '\chrome.exe'
16          - '\firefox.exe'
17        Image|endswith: 
18          - '\rundll32.exe'
19        CommandLine|endswith:
20          - '\rundll32.exe'
21    condition: selection1
22falsepositives:
23    - Unlikely
24level: high
25tags:
26    - attack.defense_evasion
27    - attack.T1055```

Related rules

to-top