mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
21 lines
592 B
YAML
21 lines
592 B
YAML
|
title: Suspicious Control Panel DLL Load
|
||
|
status: experimental
|
||
|
description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
|
||
|
author: Florian Roth
|
||
|
date: 2017/04/15
|
||
|
reference: https://twitter.com/rikvduijn/status/853251879320662017
|
||
|
logsource:
|
||
|
product: windows
|
||
|
service: sysmon
|
||
|
detection:
|
||
|
selection:
|
||
|
EventID: 1
|
||
|
ParentImage: '*\System32\control.exe'
|
||
|
CommandLine: '*\rundll32.exe *'
|
||
|
filter:
|
||
|
CommandLine: '*Shell32.dll*'
|
||
|
condition: selection and not filter
|
||
|
falsepositives:
|
||
|
- Unknown
|
||
|
level: high
|