SigmaHQ/rules/windows/process_creation/win_susp_rundll32_activity.yml

39 lines
1.4 KiB
YAML

title: Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
description: Detects suspicious process related to rundll32 based on arguments
status: experimental
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
tags:
- attack.defense_evasion
- attack.execution # an old one
- attack.t1218.011
- attack.t1085 # an old one
author: juju4
date: 2019/01/16
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*\rundll32.exe* url.dll,*OpenURL *'
- '*\rundll32.exe* url.dll,*OpenURLA *'
- '*\rundll32.exe* url.dll,*FileProtocolHandler *'
- '*\rundll32.exe* zipfldr.dll,*RouteTheCall *'
- '*\rundll32.exe* Shell32.dll,*Control_RunDLL *'
- '*\rundll32.exe javascript:*'
- '* url.dll,*OpenURL *'
- '* url.dll,*OpenURLA *'
- '* url.dll,*FileProtocolHandler *'
- '* zipfldr.dll,*RouteTheCall *'
- '* Shell32.dll,*Control_RunDLL *'
- '* javascript:*'
- '*.RegisterXLL*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium