Detection rules › Sigma

Suspicious ShellExec_RunDLL Call Via Ordinal

Status
test
Severity
high
Author
Swachchhanda Shrawan Poudel
Source
github.com/SigmaHQ/sigma

Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.

MITRE ATT&CK coverage

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Suspicious ShellExec_RunDLL Call Via Ordinal
id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
related:
    - id: d87bd452-6da1-456e-8155-7dc988157b7d
      type: derived
status: test
description: |
    Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
    Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
references:
    - https://redcanary.com/blog/raspberry-robin/
    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
    - https://github.com/SigmaHQ/sigma/issues/1009
    - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
author: Swachchhanda Shrawan Poudel
date: 2024-12-01
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent_img:
        ParentCommandLine|contains: 'SHELL32.DLL'
    selection_parent_ordinal:
        ParentCommandLine|contains:
            # Note: The ordinal number may differ depending on the DLL version
            # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
            - '#568'
            - '#570'
            - '#572'
            - '#576'
    selection_susp_cli_parent:
        # Note: Add additional binaries and suspicious paths to increase coverage
        - ParentCommandLine|contains:
              - 'comspec'
              - 'iex'
              - 'Invoke-'
              - 'msiexec'
              - 'odbcconf'
              - 'regsvr32'
        - ParentCommandLine|contains:
              - '\Desktop\'
              - '\ProgramData\'
              - '\Temp\'
              - '\Users\Public\'
    selection_susp_child_img:
        Image|endswith:
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\curl.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\msxsl.exe'
            - '\odbcconf.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: all of selection_parent_* and 1 of selection_susp_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

all of selection_parent_* and 1 of selection_susp_*

Stage 1: selection_parent_img

selection_parent_img:
    ParentCommandLine|contains: 'SHELL32.DLL'

Stage 2: selection_parent_ordinal

selection_parent_ordinal:
    ParentCommandLine|contains:
        # Note: The ordinal number may differ depending on the DLL version
        # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
        - '#568'
        - '#570'
        - '#572'
        - '#576'

Stage 3: selection_susp_cli_parent

selection_susp_cli_parent:
    # Note: Add additional binaries and suspicious paths to increase coverage
    - ParentCommandLine|contains:
          - 'comspec'
          - 'iex'
          - 'Invoke-'
          - 'msiexec'
          - 'odbcconf'
          - 'regsvr32'
    - ParentCommandLine|contains:
          - '\Desktop\'
          - '\ProgramData\'
          - '\Temp\'
          - '\Users\Public\'

Stage 4: selection_susp_child_img

selection_susp_child_img:
    Image|endswith:
        - '\bash.exe'
        - '\bitsadmin.exe'
        - '\cmd.exe'
        - '\cscript.exe'
        - '\curl.exe'
        - '\mshta.exe'
        - '\msiexec.exe'
        - '\msxsl.exe'
        - '\odbcconf.exe'
        - '\powershell.exe'
        - '\pwsh.exe'
        - '\regsvr32.exe'
        - '\schtasks.exe'
        - '\wmic.exe'
        - '\wscript.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \bash.exe corpus 22 (sigma 22)
  • \bitsadmin.exe corpus 29 (sigma 29)
  • \cmd.exe corpus 134 (sigma 134)
  • \cscript.exe corpus 76 (sigma 76)
  • \curl.exe corpus 30 (sigma 30)
  • \mshta.exe corpus 69 (sigma 69)
  • \msiexec.exe corpus 25 (sigma 25)
  • \msxsl.exe corpus 7 (sigma 7)
  • \odbcconf.exe corpus 11 (sigma 11)
  • \powershell.exe corpus 186 (sigma 186)
  • \pwsh.exe corpus 172 (sigma 172)
  • \regsvr32.exe corpus 68 (sigma 68)
  • \schtasks.exe corpus 57 (sigma 57)
  • \wmic.exe corpus 61 (sigma 61)
  • \wscript.exe corpus 78 (sigma 78)
ParentCommandLinematch
  • #568
  • #570
  • #572
  • #576
  • Invoke-
  • SHELL32.DLL
  • \Desktop\
  • \ProgramData\
  • \Temp\
  • \Users\Public\
  • comspec
  • iex
  • msiexec
  • odbcconf
  • regsvr32