Injected Browser Process Spawning Rundll32
Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
Sigma rule (View on GitHub)
1title: Injected Browser Process Spawning Rundll32
2id: 89e1490f-1a3e-452a-bbb8-b68a5f58072f
3description: Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
4status: experimental
5date: 2023/08/07
6author: \@kostastsale
7references:
8 -
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 ParentImage|endswith:
15 - '\msedge.exe'
16 - '\chrome.exe'
17 - '\firefox.exe'
18 Image|endswith:
19 - '\rundll32.exe'
20 CommandLine|endswith:
21 - '\rundll32.exe'
22 condition: selection1
23falsepositives:
24 - Unlikely
25level: high
26tags:
27 - attack.defense_evasion
28 - attack.T1055```
Related rules
- Deleting Windows Defender scheduled tasks
- Enabling RDP service via reg.exe command execution
- Enabling restricted admin mode
- Onenote execution of malicious embedded scripts
- PowerShell AMSI Bypass Pattern