Threat Huntmediumstable
DLL Call by Ordinal Via Rundll32.EXE
Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Tue Oct 22Updated Tue Jul 16e79a9e79-eb72-4e78-a628-0e7e8f59e89cwindows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains:
- ',#'
- ', #'
- '.dll #' # Sysmon removes , in its log
- '.ocx #' # HermeticWizard
filter_optional_edge:
CommandLine|contains|all:
- 'EDGEHTML.dll'
- '#141'
filter_optional_vsbuild_dll:
ParentImage|contains:
- '\Msbuild\Current\Bin\'
- '\VC\Tools\MSVC\'
- '\Tracker.exe'
CommandLine|contains:
- '\FileTracker32.dll,#1'
- '\FileTracker32.dll",#1'
- '\FileTracker64.dll,#1'
- '\FileTracker64.dll",#1'
condition: all of selection_* and not 1 of filter_optional_*False Positives
False positives depend on scripts and administrative tools used in the monitored environment.
Windows control panel elements have been identified as source (mmc).
MITRE ATT&CK
Rule Metadata
Rule ID
e79a9e79-eb72-4e78-a628-0e7e8f59e89c
Status
stable
Level
medium
Type
Threat Hunt
Created
Tue Oct 22
Modified
Tue Jul 16
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml
Raw Tags
attack.defense-evasionattack.t1218.011detection.threat-hunting