Rule Library
Sigma Rules
2 rules found for "CD_ROM_"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
Rundll32 Spawned Via Explorer.EXE
Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
WindowsProcess Creation
TA0005 · Defense Evasion
CD_ROM_Sat May 21windows
Detectionhightest
RunDLL32 Spawning Explorer
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
WindowsProcess Creation
TA0005 · Defense EvasionT1218.011 · Rundll32
elhoim+1Wed Apr 27windows