Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

DLL Execution via Rasautou.exe

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Julia Fomina, oscd.communityCreated Fri Oct 09cd3d1298-eb3b-476c-ac67-12847de55813windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Definition

Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\rasautou.exe'
        - OriginalFileName: 'rasdlui.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' -d '
            - ' -p '
    condition: all of selection*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
lolbas-project.github.io
2
Resolving title…
github.com
3
Resolving title…
fireeye.com
MITRE ATT&CK
Rule Metadata
Rule ID
cd3d1298-eb3b-476c-ac67-12847de55813
Status
test
Level
medium
Type
Detection
Created
Fri Oct 09
Author
Julia Fomina, oscd.community
Path
rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml
Raw Tags
attack.defense-evasionattack.t1218
View on GitHub