Sigma Rules
43 rules found for "attack.T1218.011"
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
SCR File Write Event
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
Unsigned DLL Loaded by Windows Utility
Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
Rundll32 Internet Connection
Detects a rundll32 that communicates with public IP addresses
Outbound Network Connection To Public IP Via Winlogon
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
Process Access via TrolleyExpress Exclusion
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
CobaltStrike Load by Rundll32
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
HackTool - RedMimicry Winnti Playbook Execution
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Code Execution via Pcwutl.dll
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Rundll32 InstallScreenSaver Execution
An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
Suspicious Rundll32 Setupapi.dll Activity
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
Shell32 DLL Execution in Suspicious Directory
Detects shell32.dll executing a DLL in a suspicious directory
RunDLL32 Spawning Explorer
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Suspicious Control Panel DLL Load
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Suspicious Rundll32 Execution With Image Extension
Detects the execution of Rundll32.exe with DLL files masquerading as image files
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Potentially Suspicious Rundll32.EXE Execution of UDL File
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
Rundll32 Execution With Uncommon DLL Extension
Detects the execution of rundll32 with a command line that doesn't contain a common extension
Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Potential PowerShell Execution Via DLL
Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.
ScreenSaver Registry Key Set
Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
Fireball Archer Install
Detects Archer malware invocation via rundll32
NotPetya Ransomware Activity
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Sofacy Trojan Loader Activity
Detects Trojan loader activity as used by APT28
APT29 2018 Phishing Campaign File Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
APT29 2018 Phishing Campaign CommandLine Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
EvilNum APT Golden Chickens Deployment Via OCX Files
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
Kapeka Backdoor Loaded Via Rundll32.EXE
Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
Kapeka Backdoor Execution Via RunDLL32.EXE
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
Potential Raspberry Robin CPL Execution Activity
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.
DLL Call by Ordinal Via Rundll32.EXE
Detects calls of DLLs exports by ordinal numbers via rundll32.dll.