SigmaHQ/rules/windows/sysmon/sysmon_susp_control_dll_load.yml

21 lines
592 B
YAML
Raw Normal View History

2017-04-15 21:32:26 +00:00
title: Suspicious Control Panel DLL Load
status: experimental
description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
author: Florian Roth
date: 2017/04/15
reference: https://twitter.com/rikvduijn/status/853251879320662017
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\System32\control.exe'
CommandLine: '*\rundll32.exe *'
filter:
CommandLine: '*Shell32.dll*'
condition: selection and not filter
falsepositives:
- Unknown
level: high