title: Equation Group DLL_U Load
author: Florian Roth
description: Detects a specific tool and export used by EquationGroup
references:
    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
    - https://securelist.com/apt-slingshot/84312/
    - https://twitter.com/cyb3rops/status/972186477512839170
tags:
    - attack.execution
    - attack.g0020
    - attack.t1059
    - attack.defense_evasion
    - attack.t1085
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image: '*\rundll32.exe'
        CommandLine: '*,dll_u'
    selection2:
        CommandLine: '* -export dll_u *'
    condition: 1 of them
falsepositives:
    - Unknown
level: critical