Detectionmediumtest

Potentially Suspicious Rundll32 Activity

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 16Updated Wed May 17e593cf51-88db-4ee1-b920-37e89012a3c9windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - CommandLine|contains|all:
              - 'javascript:'
              - '.RegisterXLL'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'OpenURLA'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'FileProtocolHandler'
        - CommandLine|contains|all:
              - 'zipfldr.dll'
              - 'RouteTheCall'
        - CommandLine|contains|all:
              - 'shell32.dll'
              - 'Control_RunDLL'
        - CommandLine|contains|all:
              - 'shell32.dll'
              - 'ShellExec_RunDLL'
        - CommandLine|contains|all:
              - 'mshtml.dll'
              - 'PrintHTML'
        - CommandLine|contains|all:
              - 'advpack.dll'
              - 'LaunchINFSection'
        - CommandLine|contains|all:
              - 'advpack.dll'
              - 'RegisterOCX'
        - CommandLine|contains|all:
              - 'ieadvpack.dll'
              - 'LaunchINFSection'
        - CommandLine|contains|all:
              - 'ieadvpack.dll'
              - 'RegisterOCX'
        - CommandLine|contains|all:
              - 'ieframe.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'shdocvw.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'syssetup.dll'
              - 'SetupInfObjectInstallAction'
        - CommandLine|contains|all:
              - 'setupapi.dll'
              - 'InstallHinfSection'
        - CommandLine|contains|all:
              - 'pcwutl.dll'
              - 'LaunchApplication'
        - CommandLine|contains|all:
              - 'dfshim.dll'
              - 'ShOpenVerbApplication'
        - CommandLine|contains|all:
              - 'dfshim.dll'
              - 'ShOpenVerbShortcut'
        - CommandLine|contains|all:
              - 'scrobj.dll'
              - 'GenerateTypeLib'
              - 'http'
        - CommandLine|contains|all:
              - 'shimgvw.dll'
              - 'ImageView_Fullscreen'
              - 'http'
        - CommandLine|contains|all:
              - 'comsvcs.dll'
              - 'MiniDump'
    filter_main_screensaver:
        CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
    filter_main_parent_cpl:  # Settings
        ParentImage: 'C:\Windows\System32\control.exe'
        ParentCommandLine|contains: '.cpl'
        CommandLine|contains|all:
            - 'Shell32.dll'
            - 'Control_RunDLL'
            - '.cpl'
    filter_main_startmenu:
        ParentImage: 'C:\Windows\System32\control.exe'
        CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
        CommandLine|endswith: '.cpl",'
    condition: selection and not 1 of filter_main_*