CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/win_susp_rundll32_activity.yml
T
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

109 lines
3.6 KiB
YAML
Raw Blame History

title: Suspicious Rundll32 Activity
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
description: Detects suspicious process related to rundll32 based on arguments
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*zipfldr.dll*'
SELECTION_11:
CommandLine: '*RouteTheCall*'
SELECTION_12:
CommandLine: '*shell32.dll*'
SELECTION_13:
CommandLine: '*Control_RunDLL*'
SELECTION_14:
CommandLine: '*shell32.dll*'
SELECTION_15:
CommandLine: '*ShellExec_RunDLL*'
SELECTION_16:
CommandLine: '*mshtml.dll*'
SELECTION_17:
CommandLine: '*PrintHTML*'
SELECTION_18:
CommandLine: '*advpack.dll*'
SELECTION_19:
CommandLine: '*LaunchINFSection*'
SELECTION_2:
CommandLine: '*javascript:*'
SELECTION_20:
CommandLine: '*advpack.dll*'
SELECTION_21:
CommandLine: '*RegisterOCX*'
SELECTION_22:
CommandLine: '*ieadvpack.dll*'
SELECTION_23:
CommandLine: '*LaunchINFSection*'
SELECTION_24:
CommandLine: '*ieadvpack.dll*'
SELECTION_25:
CommandLine: '*RegisterOCX*'
SELECTION_26:
CommandLine: '*ieframe.dll*'
SELECTION_27:
CommandLine: '*OpenURL*'
SELECTION_28:
CommandLine: '*shdocvw.dll*'
SELECTION_29:
CommandLine: '*OpenURL*'
SELECTION_3:
CommandLine: '*.RegisterXLL*'
SELECTION_30:
CommandLine: '*syssetup.dll*'
SELECTION_31:
CommandLine: '*SetupInfObjectInstallAction''*'
SELECTION_32:
CommandLine: '*setupapi.dll*'
SELECTION_33:
CommandLine: '*InstallHinfSection*'
SELECTION_34:
CommandLine: '*pcwutl.dll*'
SELECTION_35:
CommandLine: '*LaunchApplication*'
SELECTION_36:
CommandLine: '*dfshim.dll*'
SELECTION_37:
CommandLine: '*ShOpenVerbApplication*'
SELECTION_4:
CommandLine: '*url.dll*'
SELECTION_5:
CommandLine: '*OpenURL*'
SELECTION_6:
CommandLine: '*url.dll*'
SELECTION_7:
CommandLine: '*OpenURLA*'
SELECTION_8:
CommandLine: '*url.dll*'
SELECTION_9:
CommandLine: '*FileProtocolHandler*'
condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and
SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)
or (SELECTION_10 and SELECTION_11) or (SELECTION_12 and SELECTION_13) or (SELECTION_14
and SELECTION_15) or (SELECTION_16 and SELECTION_17) or (SELECTION_18 and
SELECTION_19) or (SELECTION_20 and SELECTION_21) or (SELECTION_22 and SELECTION_23)
or (SELECTION_24 and SELECTION_25) or (SELECTION_26 and SELECTION_27) or (SELECTION_28
and SELECTION_29) or (SELECTION_30 and SELECTION_31) or (SELECTION_32 and
SELECTION_33) or (SELECTION_34 and SELECTION_35) or (SELECTION_36 and SELECTION_37)))
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
environment
id: e593cf51-88db-4ee1-b920-37e89012a3c9
level: medium
logsource:
category: process_creation
product: windows
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218.011
- attack.t1085
yml_filename: win_susp_rundll32_activity.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
Reference in New Issue View Git Blame Copy Permalink