title: Suspicious Rundll32 Setupapi.dll Activity
author: Konstantin Grishchenko, oscd.community
date: 2020/10/07
description: setupapi.dll library provide InstallHinfSection function for processing
    INF files. INF file may contain instructions allowing to create values in the
    registry, modify files and install drivers. This technique could be used to obtain
    persistence via modifying one of Run or RunOnce registry keys, run process or
    use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll
    calls runonce.exe executable regardless of actual content of INF file.
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        Image: '*\runonce.exe'
    SELECTION_3:
        ParentImage: '*\rundll32.exe'
    SELECTION_4:
        ParentCommandLine: '*setupapi.dll*'
    SELECTION_5:
        ParentCommandLine: '*InstallHinfSection*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Scripts and administrative tools that use INF files for driver installation with
    setupapi.dll
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 285b85b1-a555-4095-8652-a8a4106af63f
level: medium
logsource:
    category: process_creation
    product: windows
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
status: experimental
tags:
- attack.defense_evasion
- attack.t1218.011
yml_filename: win_susp_rundll32_setupapi_installhinfsection.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation