title: Suspicious Rundll32 Activity Invoking Sys File
author: Florian Roth
date: 2021/03/05
description: Detects suspicious process related to rundll32 based on command line
  that includes a *.sys file as seen being used by UNC2452
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: '*rundll32.exe*'
  SELECTION_3:
    CommandLine:
    - '*.sys,*'
    - '*.sys *'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218.011
ruletype: SIGMA