Potentially Suspicious Rundll32 Activity

Severity: medium
Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218.011` System Binary Proxy Execution: Rundll32

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection`

or:
CommandLine|contains: .RegisterXLL
CommandLine|contains: 'javascript:'
CommandLine|contains: Control_RunDLL
CommandLine|contains: shell32.dll
CommandLine|contains: FileProtocolHandler
CommandLine|contains: url.dll
CommandLine|contains: GenerateTypeLib
CommandLine|contains: http
CommandLine|contains: scrobj.dll
CommandLine|contains: ImageView_Fullscreen
CommandLine|contains: http
CommandLine|contains: shimgvw.dll
CommandLine|contains: InstallHinfSection
CommandLine|contains: setupapi.dll
CommandLine|contains: LaunchApplication
CommandLine|contains: pcwutl.dll
CommandLine|contains: LaunchINFSection
CommandLine|contains: advpack.dll
CommandLine|contains: LaunchINFSection
CommandLine|contains: ieadvpack.dll
CommandLine|contains: MiniDump
CommandLine|contains: comsvcs.dll
CommandLine|contains: OpenURL
CommandLine|contains: ieframe.dll
CommandLine|contains: OpenURL
CommandLine|contains: shdocvw.dll
CommandLine|contains: OpenURL
CommandLine|contains: url.dll
CommandLine|contains: OpenURLA
CommandLine|contains: url.dll
CommandLine|contains: PrintHTML
CommandLine|contains: mshtml.dll
CommandLine|contains: RegisterOCX
CommandLine|contains: advpack.dll
CommandLine|contains: RegisterOCX
CommandLine|contains: ieadvpack.dll
CommandLine|contains: RouteTheCall
CommandLine|contains: zipfldr.dll
CommandLine|contains: SetupInfObjectInstallAction
CommandLine|contains: syssetup.dll
CommandLine|contains: ShOpenVerbApplication
CommandLine|contains: dfshim.dll
CommandLine|contains: ShOpenVerbShortcut
CommandLine|contains: dfshim.dll
CommandLine|contains: ShellExec_RunDLL
CommandLine|contains: shell32.dll

Stage 2: `not 1 of filter_main_*`

or:
CommandLine|endswith: '.cpl",'
CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
ParentImage: 'C:\Windows\System32\control.exe'
CommandLine|contains: .cpl
CommandLine|contains: Control_RunDLL
CommandLine|contains: Shell32.dll
ParentCommandLine|contains: .cpl
ParentImage: 'C:\Windows\System32\control.exe'
CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	ends_with	`.cpl",`
`CommandLine`	match	`.RegisterXLL` `.cpl` corpus 4 (sigma 4) `Control_RunDLL` corpus 2 (sigma 2) `FileProtocolHandler` `GenerateTypeLib` `ImageView_Fullscreen` `InstallHinfSection` `LaunchApplication` corpus 2 (sigma 2) `LaunchINFSection` `MiniDump` corpus 3 (sigma 3) `OpenURL` `OpenURLA` `PrintHTML` `RegisterOCX` `RouteTheCall` `SetupInfObjectInstallAction` `ShOpenVerbApplication` `ShOpenVerbShortcut` `Shell32.dll` corpus 2 (sigma 2) `ShellExec_RunDLL` corpus 2 (sigma 2) `advpack.dll` `comsvcs.dll` `dfshim.dll` `http` corpus 31 (sigma 31) `ieadvpack.dll` `ieframe.dll` `javascript:` `mshtml.dll` `pcwutl.dll` `scrobj.dll` `setupapi.dll` `shdocvw.dll` `shell32.dll` corpus 2 (sigma 2) `shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver` `shimgvw.dll` `syssetup.dll` `url.dll` `zipfldr.dll`
`CommandLine`	starts_with	`"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\`
`ParentCommandLine`	match	`.cpl`
`ParentImage`	eq	`C:\Windows\System32\control.exe`