title: Suspicious Rundll32 Activity
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
description: Detects suspicious process related to rundll32 based on arguments
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_10:
    CommandLine: '*RouteTheCall*'
  SELECTION_11:
    CommandLine: '*shell32.dll*'
  SELECTION_12:
    CommandLine: '*Control_RunDLL*'
  SELECTION_13:
    CommandLine: '*shell32.dll*'
  SELECTION_14:
    CommandLine: '*ShellExec_RunDLL*'
  SELECTION_15:
    CommandLine: '*mshtml.dll*'
  SELECTION_16:
    CommandLine: '*PrintHTML*'
  SELECTION_17:
    CommandLine: '*advpack.dll*'
  SELECTION_18:
    CommandLine: '*LaunchINFSection*'
  SELECTION_19:
    CommandLine: '*advpack.dll*'
  SELECTION_2:
    CommandLine:
    - '*javascript:*'
    - '*.RegisterXLL*'
  SELECTION_20:
    CommandLine: '*RegisterOCX*'
  SELECTION_21:
    CommandLine: '*ieadvpack.dll*'
  SELECTION_22:
    CommandLine: '*LaunchINFSection*'
  SELECTION_23:
    CommandLine: '*ieadvpack.dll*'
  SELECTION_24:
    CommandLine: '*RegisterOCX*'
  SELECTION_25:
    CommandLine: '*ieframe.dll*'
  SELECTION_26:
    CommandLine: '*OpenURL*'
  SELECTION_27:
    CommandLine: '*shdocvw.dll*'
  SELECTION_28:
    CommandLine: '*OpenURL*'
  SELECTION_29:
    CommandLine: '*syssetup.dll*'
  SELECTION_3:
    CommandLine: '*url.dll*'
  SELECTION_30:
    CommandLine: "*SetupInfObjectInstallAction'*"
  SELECTION_31:
    CommandLine: '*setupapi.dll*'
  SELECTION_32:
    CommandLine: '*InstallHinfSection*'
  SELECTION_33:
    CommandLine: '*pcwutl.dll*'
  SELECTION_34:
    CommandLine: '*LaunchApplication*'
  SELECTION_35:
    CommandLine: '*dfshim.dll*'
  SELECTION_36:
    CommandLine: '*ShOpenVerbApplication*'
  SELECTION_4:
    CommandLine: '*OpenURL*'
  SELECTION_5:
    CommandLine: '*url.dll*'
  SELECTION_6:
    CommandLine: '*OpenURLA*'
  SELECTION_7:
    CommandLine: '*url.dll*'
  SELECTION_8:
    CommandLine: '*FileProtocolHandler*'
  SELECTION_9:
    CommandLine: '*zipfldr.dll*'
  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4) or (SELECTION_5
    and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
    or (SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14) or (SELECTION_15
    and SELECTION_16) or (SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20)
    or (SELECTION_21 and SELECTION_22) or (SELECTION_23 and SELECTION_24) or (SELECTION_25
    and SELECTION_26) or (SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30)
    or (SELECTION_31 and SELECTION_32) or (SELECTION_33 and SELECTION_34) or (SELECTION_35
    and SELECTION_36)))
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
  environment
id: e593cf51-88db-4ee1-b920-37e89012a3c9
level: medium
logsource:
  category: process_creation
  product: windows
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218.011
- attack.t1085
ruletype: SIGMA