mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
34 lines
1.2 KiB
YAML
34 lines
1.2 KiB
YAML
title: Suspicious Process Start Without DLL
|
|
id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
|
|
description: Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity
|
|
status: experimental
|
|
references:
|
|
- https://twitter.com/CyberRaiju/status/1251492025678983169
|
|
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
|
|
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
|
|
- https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
|
|
- https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
|
|
author: Florian Roth
|
|
date: 2021/05/27
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
CommandLine|endswith:
|
|
- '\rundll32.exe'
|
|
- '\regsvcs.exe'
|
|
- '\regasm.exe'
|
|
- '\regsvr32.exe'
|
|
filter1:
|
|
ParentImage|contains:
|
|
- '\AppData\Local\'
|
|
- '\Microsoft\Edge\'
|
|
condition: selection and not filter1
|
|
fields:
|
|
- ParentImage
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- Possible but rare
|
|
level: high
|