Detectionmediumtest
Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed May 17Updated Sun Feb 2343fa5350-db63-4b8f-9a01-789a427074e1windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli:
CommandLine|contains:
- '#+'
- '#-'
# ordinal can be represented by adding any number of zeros in front ordinal number, for e.g. 000000024
- '#0'
# ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.
# for e.g ordinal 24 can be also represented by 65560 (65536+24)
- '#655'
- '#656'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
1
2Resolving title…
Internal ResearchResolving title…
youtube.comMITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
43fa5350-db63-4b8f-9a01-789a427074e1
Status
test
Level
medium
Type
Detection
Created
Wed May 17
Modified
Sun Feb 23
Path
rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml
Raw Tags
attack.defense-evasionattack.t1027.010