Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious ShellExec_RunDLL Call Via Ordinal

Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan PoudelCreated Sun Dec 018823e85d-31d8-473e-b7f4-92da070f0fc6windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_parent_img:
        ParentCommandLine|contains: 'SHELL32.DLL'
    selection_parent_ordinal:
        ParentCommandLine|contains:
            # Note: The ordinal number may differ depending on the DLL version
            # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
            - '#568'
            - '#570'
            - '#572'
            - '#576'
    selection_susp_cli_parent:
        # Note: Add additional binaries and suspicious paths to increase coverage
        - ParentCommandLine|contains:
              - 'comspec'
              - 'iex'
              - 'Invoke-'
              - 'msiexec'
              - 'odbcconf'
              - 'regsvr32'
        - ParentCommandLine|contains:
              - '\Desktop\'
              - '\ProgramData\'
              - '\Temp\'
              - '\Users\Public\'
    selection_susp_child_img:
        Image|endswith:
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\curl.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\msxsl.exe'
            - '\odbcconf.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: all of selection_parent_* and 1 of selection_susp_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
redcanary.com
2
Resolving title…
microsoft.com
3
Resolving title…
github.com
4
Resolving title…
strontic.github.io
MITRE ATT&CK

Sub-techniques

T1218.011 · Rundll32
Related Rules
DerivedDetectionhigh

Suspicious Usage Of ShellExec_RunDLL

Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
8823e85d-31d8-473e-b7f4-92da070f0fc6
Status
test
Level
high
Type
Detection
Created
Sun Dec 01
Author
Swachchhanda Shrawan Poudel
Path
rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml
Raw Tags
attack.defense-evasionattack.t1218.011
View on GitHub