detection.wiki

Detection rules › Sigma

Suspicious ShellExec_RunDLL Call Via Ordinal

Severity
high
Author
Swachchhanda Shrawan Poudel
Source
upstream

Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218.011 System Binary Proxy Execution: Rundll32

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_parent_img

ParentCommandLine|contains: SHELL32.DLL

Stage 2: all of selection_parent_ordinal

or:
ParentCommandLine|contains: '#568'
ParentCommandLine|contains: '#570'
ParentCommandLine|contains: '#572'
ParentCommandLine|contains: '#576'

Stage 3: 1 of selection_susp_cli_parent

or:
ParentCommandLine|contains: Invoke-
ParentCommandLine|contains: '\Desktop\'
ParentCommandLine|contains: '\ProgramData\'
ParentCommandLine|contains: '\Temp\'
ParentCommandLine|contains: '\Users\Public\'
ParentCommandLine|contains: comspec
ParentCommandLine|contains: iex
ParentCommandLine|contains: msiexec
ParentCommandLine|contains: odbcconf
ParentCommandLine|contains: regsvr32

Stage 4: 1 of selection_susp_child_img

or:
Image|endswith: '\bash.exe'
Image|endswith: '\bitsadmin.exe'
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\curl.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\msiexec.exe'
Image|endswith: '\msxsl.exe'
Image|endswith: '\odbcconf.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\schtasks.exe'
Image|endswith: '\wmic.exe'
Image|endswith: '\wscript.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \bash.exe corpus 17 (sigma 17)
  • \bitsadmin.exe corpus 23 (sigma 23)
  • \cmd.exe corpus 92 (sigma 92)
  • \cscript.exe corpus 64 (sigma 64)
  • \curl.exe corpus 19 (sigma 19)
  • \mshta.exe corpus 57 (sigma 57)
  • \msiexec.exe corpus 21 (sigma 21)
  • \msxsl.exe corpus 7 (sigma 7)
  • \odbcconf.exe corpus 11 (sigma 11)
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \regsvr32.exe corpus 57 (sigma 57)
  • \schtasks.exe corpus 45 (sigma 45)
  • \wmic.exe corpus 37 (sigma 37)
  • \wscript.exe corpus 64 (sigma 64)
ParentCommandLinematch
  • #568
  • #570
  • #572
  • #576
  • Invoke-
  • SHELL32.DLL
  • \Desktop\
  • \ProgramData\
  • \Temp\
  • \Users\Public\
  • comspec
  • iex
  • msiexec
  • odbcconf
  • regsvr32