rule: suspicious call by ordinal (rundll32)

rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml

@@ -0,0 +1,23 @@
+title: Suspicious Call by Ordinal
+description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
+status: experimental
+references:
+    - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
+    - https://github.com/Neo23x0/DLLRunner
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1085
+author: Florian Roth
+date: 2019/10/22
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '*\rundll32.exe *,#*'
+    condition: selection
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+    - Windows contol panel elements have been identified as source (mmc)
+level: high