Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_openasrundll:
CommandLine|contains: 'ShellExec_RunDLL'
selection_suspcli:
CommandLine|contains:
# Note: The ordinal number may differ depending on the DLL version
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- 'comspec'
- 'iex'
- 'Invoke-'
- 'msiexec'
- 'odbcconf'
- 'regsvr32'
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
36c5146c-d127-4f85-8e21-01bf62355d5a
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
Detects similar activity. Both rules may fire on overlapping events.