mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
10 KiB
10 KiB
| Title | Suspicious Rundll32 Activity |
|---|---|
| Description | Detects suspicious process related to rundll32 based on arguments |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | |
| Severity Level | medium |
| False Positives |
|
| Development Status | experimental |
| References | |
| Author | juju4 |
Detection Rules
Sigma rule
title: Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
description: Detects suspicious process related to rundll32 based on arguments
status: experimental
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
tags:
- attack.defense_evasion
- attack.execution # an old one
- attack.t1218.011
- attack.t1085 # an old one
author: juju4
date: 2019/01/16
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*\rundll32.exe* url.dll,*OpenURL *'
- '*\rundll32.exe* url.dll,*OpenURLA *'
- '*\rundll32.exe* url.dll,*FileProtocolHandler *'
- '*\rundll32.exe* zipfldr.dll,*RouteTheCall *'
- '*\rundll32.exe* Shell32.dll,*Control_RunDLL *'
- '*\rundll32.exe javascript:*'
- '* url.dll,*OpenURL *'
- '* url.dll,*OpenURLA *'
- '* url.dll,*FileProtocolHandler *'
- '* zipfldr.dll,*RouteTheCall *'
- '* Shell32.dll,*Control_RunDLL *'
- '* javascript:*'
- '*.RegisterXLL*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
powershell
Get-WinEvent | where {($_.message -match "CommandLine.*.*\\\\rundll32.exe.* url.dll,.*OpenURL .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe.* url.dll,.*OpenURLA .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe.* url.dll,.*FileProtocolHandler .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe.* zipfldr.dll,.*RouteTheCall .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe.* Shell32.dll,.*Control_RunDLL .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe javascript:.*" -or $_.message -match "CommandLine.*.* url.dll,.*OpenURL .*" -or $_.message -match "CommandLine.*.* url.dll,.*OpenURLA .*" -or $_.message -match "CommandLine.*.* url.dll,.*FileProtocolHandler .*" -or $_.message -match "CommandLine.*.* zipfldr.dll,.*RouteTheCall .*" -or $_.message -match "CommandLine.*.* Shell32.dll,.*Control_RunDLL .*" -or $_.message -match "CommandLine.*.* javascript:.*" -or $_.message -match "CommandLine.*.*.RegisterXLL.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
es-qs
winlog.event_data.CommandLine.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*)
xpack-watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/e593cf51-88db-4ee1-b920-37e89012a3c9 <<EOF\n{\n "metadata": {\n "title": "Suspicious Rundll32 Activity",\n "description": "Detects suspicious process related to rundll32 based on arguments",\n "tags": [\n "attack.defense_evasion",\n "attack.execution",\n "attack.t1218.011",\n "attack.t1085"\n ],\n "query": "winlog.event_data.CommandLine.keyword:(*\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURL\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\\\\\rundll32.exe\\\\ javascript\\\\:* OR *\\\\ url.dll,*OpenURL\\\\ * OR *\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\ javascript\\\\:* OR *.RegisterXLL*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "winlog.event_data.CommandLine.keyword:(*\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURL\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\\\\\rundll32.exe\\\\ javascript\\\\:* OR *\\\\ url.dll,*OpenURL\\\\ * OR *\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\ javascript\\\\:* OR *.RegisterXLL*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": [\n "winlogbeat-*"\n ]\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "throttle_period": "15m",\n "email": {\n "profile": "standard",\n "from": "root@localhost",\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious Rundll32 Activity\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
graylog
CommandLine.keyword:(*\\\\rundll32.exe* url.dll,*OpenURL * *\\\\rundll32.exe* url.dll,*OpenURLA * *\\\\rundll32.exe* url.dll,*FileProtocolHandler * *\\\\rundll32.exe* zipfldr.dll,*RouteTheCall * *\\\\rundll32.exe* Shell32.dll,*Control_RunDLL * *\\\\rundll32.exe javascript\\:* * url.dll,*OpenURL * * url.dll,*OpenURLA * * url.dll,*FileProtocolHandler * * zipfldr.dll,*RouteTheCall * * Shell32.dll,*Control_RunDLL * * javascript\\:* *.RegisterXLL*)
splunk
(CommandLine="*\\\\rundll32.exe* url.dll,*OpenURL *" OR CommandLine="*\\\\rundll32.exe* url.dll,*OpenURLA *" OR CommandLine="*\\\\rundll32.exe* url.dll,*FileProtocolHandler *" OR CommandLine="*\\\\rundll32.exe* zipfldr.dll,*RouteTheCall *" OR CommandLine="*\\\\rundll32.exe* Shell32.dll,*Control_RunDLL *" OR CommandLine="*\\\\rundll32.exe javascript:*" OR CommandLine="* url.dll,*OpenURL *" OR CommandLine="* url.dll,*OpenURLA *" OR CommandLine="* url.dll,*FileProtocolHandler *" OR CommandLine="* zipfldr.dll,*RouteTheCall *" OR CommandLine="* Shell32.dll,*Control_RunDLL *" OR CommandLine="* javascript:*" OR CommandLine="*.RegisterXLL*")
logpoint
CommandLine IN ["*\\\\rundll32.exe* url.dll,*OpenURL *", "*\\\\rundll32.exe* url.dll,*OpenURLA *", "*\\\\rundll32.exe* url.dll,*FileProtocolHandler *", "*\\\\rundll32.exe* zipfldr.dll,*RouteTheCall *", "*\\\\rundll32.exe* Shell32.dll,*Control_RunDLL *", "*\\\\rundll32.exe javascript:*", "* url.dll,*OpenURL *", "* url.dll,*OpenURLA *", "* url.dll,*FileProtocolHandler *", "* zipfldr.dll,*RouteTheCall *", "* Shell32.dll,*Control_RunDLL *", "* javascript:*", "*.RegisterXLL*"]
grep
grep -P '^(?:.*.*\\rundll32\\.exe.* url\\.dll,.*OpenURL .*|.*.*\\rundll32\\.exe.* url\\.dll,.*OpenURLA .*|.*.*\\rundll32\\.exe.* url\\.dll,.*FileProtocolHandler .*|.*.*\\rundll32\\.exe.* zipfldr\\.dll,.*RouteTheCall .*|.*.*\\rundll32\\.exe.* Shell32\\.dll,.*Control_RunDLL .*|.*.*\\rundll32\\.exe javascript:.*|.*.* url\\.dll,.*OpenURL .*|.*.* url\\.dll,.*OpenURLA .*|.*.* url\\.dll,.*FileProtocolHandler .*|.*.* zipfldr\\.dll,.*RouteTheCall .*|.*.* Shell32\\.dll,.*Control_RunDLL .*|.*.* javascript:.*|.*.*\\.RegisterXLL.*)'