title: DLL Execution via Rasautou.exe
author: Julia Fomina, oscd.community
date: 2020/10/09
description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d
  option and executes the export specified in -p.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\rasautou.exe'
  SELECTION_3:
    OriginalFileName: rasdlui.exe
  SELECTION_4:
    CommandLine: '*-d*'
  SELECTION_5:
    CommandLine: '*-p*'
  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5))
falsepositives:
- Unlikely
id: cd3d1298-eb3b-476c-ac67-12847de55813
level: medium
logsource:
  category: process_creation
  definition: Since options '-d' and '-p' were removed in Windows 10 this rule is
    relevant only for Windows before 10. And as Windows 7 doesn't log command line
    in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375
    installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
  product: windows
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
- https://github.com/fireeye/DueDLLigence
- https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
ruletype: SIGMA