Detectionmediumtest
Suspicious Workstation Locking via Rundll32
Detects a suspicious call to the user32.dll function that locks the user workstation
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_call_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_call_parent:
ParentImage|endswith: '\cmd.exe'
selection_call_cli:
CommandLine|contains: 'user32.dll,'
selection_function:
CommandLine|contains: 'LockWorkStation'
condition: all of selection_*False Positives
Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
3b5b0213-0460-4e3f-8937-3abf98ff7dcc
Status
test
Level
medium
Type
Detection
Created
Sat Jun 04
Modified
Thu Feb 09
Author
Path
rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml
Raw Tags
attack.defense-evasion