CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a00a114101ab33eda2e75c9cf2ddab57cccea821
hayabusa/rules/sigma/process_creation/win_susp_rundll32_activity.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

108 lines
3.2 KiB
YAML
Raw Blame History

title: Suspicious Rundll32 Activity
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
description: Detects suspicious process related to rundll32 based on arguments
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*RouteTheCall*'
SELECTION_11:
CommandLine: '*shell32.dll*'
SELECTION_12:
CommandLine: '*Control_RunDLL*'
SELECTION_13:
CommandLine: '*shell32.dll*'
SELECTION_14:
CommandLine: '*ShellExec_RunDLL*'
SELECTION_15:
CommandLine: '*mshtml.dll*'
SELECTION_16:
CommandLine: '*PrintHTML*'
SELECTION_17:
CommandLine: '*advpack.dll*'
SELECTION_18:
CommandLine: '*LaunchINFSection*'
SELECTION_19:
CommandLine: '*advpack.dll*'
SELECTION_2:
CommandLine:
- '*javascript:*'
- '*.RegisterXLL*'
SELECTION_20:
CommandLine: '*RegisterOCX*'
SELECTION_21:
CommandLine: '*ieadvpack.dll*'
SELECTION_22:
CommandLine: '*LaunchINFSection*'
SELECTION_23:
CommandLine: '*ieadvpack.dll*'
SELECTION_24:
CommandLine: '*RegisterOCX*'
SELECTION_25:
CommandLine: '*ieframe.dll*'
SELECTION_26:
CommandLine: '*OpenURL*'
SELECTION_27:
CommandLine: '*shdocvw.dll*'
SELECTION_28:
CommandLine: '*OpenURL*'
SELECTION_29:
CommandLine: '*syssetup.dll*'
SELECTION_3:
CommandLine: '*url.dll*'
SELECTION_30:
CommandLine: "*SetupInfObjectInstallAction'*"
SELECTION_31:
CommandLine: '*setupapi.dll*'
SELECTION_32:
CommandLine: '*InstallHinfSection*'
SELECTION_33:
CommandLine: '*pcwutl.dll*'
SELECTION_34:
CommandLine: '*LaunchApplication*'
SELECTION_35:
CommandLine: '*dfshim.dll*'
SELECTION_36:
CommandLine: '*ShOpenVerbApplication*'
SELECTION_4:
CommandLine: '*OpenURL*'
SELECTION_5:
CommandLine: '*url.dll*'
SELECTION_6:
CommandLine: '*OpenURLA*'
SELECTION_7:
CommandLine: '*url.dll*'
SELECTION_8:
CommandLine: '*FileProtocolHandler*'
SELECTION_9:
CommandLine: '*zipfldr.dll*'
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
or (SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14) or (SELECTION_15
and SELECTION_16) or (SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20)
or (SELECTION_21 and SELECTION_22) or (SELECTION_23 and SELECTION_24) or (SELECTION_25
and SELECTION_26) or (SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30)
or (SELECTION_31 and SELECTION_32) or (SELECTION_33 and SELECTION_34) or (SELECTION_35
and SELECTION_36)))
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
environment
id: e593cf51-88db-4ee1-b920-37e89012a3c9
level: medium
logsource:
category: process_creation
product: windows
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218.011
- attack.t1085
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink