CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
5da0f5e322de5996e616563f73d6da3be4e10bc3
hayabusa/rules/sigma/process_creation/win_susp_rundll32_activity.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

109 lines
3.2 KiB
YAML
Raw Blame History

title: Suspicious Rundll32 Activity
ruletype: Sigma
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
description: Detects suspicious process related to rundll32 based on arguments
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*zipfldr.dll*'
SELECTION_11:
CommandLine: '*RouteTheCall*'
SELECTION_12:
CommandLine: '*shell32.dll*'
SELECTION_13:
CommandLine: '*Control_RunDLL*'
SELECTION_14:
CommandLine: '*shell32.dll*'
SELECTION_15:
CommandLine: '*ShellExec_RunDLL*'
SELECTION_16:
CommandLine: '*mshtml.dll*'
SELECTION_17:
CommandLine: '*PrintHTML*'
SELECTION_18:
CommandLine: '*advpack.dll*'
SELECTION_19:
CommandLine: '*LaunchINFSection*'
SELECTION_2:
CommandLine: '*javascript:*'
SELECTION_20:
CommandLine: '*advpack.dll*'
SELECTION_21:
CommandLine: '*RegisterOCX*'
SELECTION_22:
CommandLine: '*ieadvpack.dll*'
SELECTION_23:
CommandLine: '*LaunchINFSection*'
SELECTION_24:
CommandLine: '*ieadvpack.dll*'
SELECTION_25:
CommandLine: '*RegisterOCX*'
SELECTION_26:
CommandLine: '*ieframe.dll*'
SELECTION_27:
CommandLine: '*OpenURL*'
SELECTION_28:
CommandLine: '*shdocvw.dll*'
SELECTION_29:
CommandLine: '*OpenURL*'
SELECTION_3:
CommandLine: '*.RegisterXLL*'
SELECTION_30:
CommandLine: '*syssetup.dll*'
SELECTION_31:
CommandLine: "*SetupInfObjectInstallAction'*"
SELECTION_32:
CommandLine: '*setupapi.dll*'
SELECTION_33:
CommandLine: '*InstallHinfSection*'
SELECTION_34:
CommandLine: '*pcwutl.dll*'
SELECTION_35:
CommandLine: '*LaunchApplication*'
SELECTION_36:
CommandLine: '*dfshim.dll*'
SELECTION_37:
CommandLine: '*ShOpenVerbApplication*'
SELECTION_4:
CommandLine: '*url.dll*'
SELECTION_5:
CommandLine: '*OpenURL*'
SELECTION_6:
CommandLine: '*url.dll*'
SELECTION_7:
CommandLine: '*OpenURLA*'
SELECTION_8:
CommandLine: '*url.dll*'
SELECTION_9:
CommandLine: '*FileProtocolHandler*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10
and SELECTION_11) or (SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15)
or (SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19) or (SELECTION_20
and SELECTION_21) or (SELECTION_22 and SELECTION_23) or (SELECTION_24 and SELECTION_25)
or (SELECTION_26 and SELECTION_27) or (SELECTION_28 and SELECTION_29) or (SELECTION_30
and SELECTION_31) or (SELECTION_32 and SELECTION_33) or (SELECTION_34 and SELECTION_35)
or (SELECTION_36 and SELECTION_37)))
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
environment
id: e593cf51-88db-4ee1-b920-37e89012a3c9
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/12/04
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
status: test
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218.011
- attack.t1085
Reference in New Issue View Git Blame Copy Permalink