Injected Browser Process Spawning Rundll32
Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
Sigma rule (View on GitHub)
1title: Injected Browser Process Spawning Rundll32
2description: Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
3status: experimental
4date: 2023/08/07
5author: \@kostastsale
6references:
7 -
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 ParentImage|endswith:
14 - '\msedge.exe'
15 - '\chrome.exe'
16 - '\firefox.exe'
17 Image|endswith:
18 - '\rundll32.exe'
19 CommandLine|endswith:
20 - '\rundll32.exe'
21 condition: selection1
22falsepositives:
23 - Unlikely
24level: high
25tags:
26 - attack.defense_evasion
27 - attack.T1055```
Related rules
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- Potential Mpclient.DLL Sideloading
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Potential AVKkid.DLL Sideloading