Detectionmediumtest
Rundll32 Internet Connection
Detects a rundll32 that communicates with public IP addresses
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Sat Nov 04Updated Wed Mar 13cdc8da7d-c303-42f8-b08c-b4ab47230263windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic6 selectors
detection:
selection:
Image|endswith: '\rundll32.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_ms_ranges:
DestinationIp|cidr:
- '20.0.0.0/8' # Microsoft range, caused some FPs
- '51.103.0.0/16' # Microsoft AS8075 range, caused some FPs
- '51.104.0.0/16' # Microsoft AS8075 range, caused some FPs
- '51.105.0.0/16' # Microsoft AS8075 range, caused some FPs
filter_main_app_sdb:
CommandLine|endswith: '\system32\PcaSvc.dll,PcaPatchSdbTask'
filter_main_azure_managed:
SourceHostname|endswith: '.internal.cloudapp.net'
filter_main_svchost_update_processes:
# Note: This require "ParentImage" data enrichment.
ParentImage: 'C:\Windows\System32\svchost.exe'
DestinationPort: 443
condition: selection and not 1 of filter_main_*False Positives
Communication to other corporate systems that use IP addresses from public address spaces
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
cdc8da7d-c303-42f8-b08c-b4ab47230263
Status
test
Level
medium
Type
Detection
Created
Sat Nov 04
Modified
Wed Mar 13
Path
rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
Raw Tags
attack.defense-evasionattack.t1218.011attack.execution