Potentially Suspicious Rundll32.EXE Execution of UDL File

Rule Info

Name
Potentially Suspicious Rundll32.EXE Execution of UDL File
Author
@kostastsale
Description
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
Reference
https://trustedsec.com/blog/oops-i-udld-it-again
Date
2024-08-16 00:00:00
Modified
None
Id
0ea52357-cd59-4340-9981-c46c7e900428
Tags
attack.defense-evasion attack.execution attack.command-and-control attack.t1218.011 attack.t1071
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=0ea52357-cd59-4340-9981-c46c7e900428

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5506 from @nasbench -promote older rules status from `experimental` to `test`
2025-07-01
4316ad64d
david-syk
Merge PR #5389 from @david-syk - Update MITRE ATT&CK tags
2025-05-20
6fe3ac8a0
Kostas
Merge PR #4974 from @tsale - Add `Potentially Suspicious Rundll32.EXE Execution of UDL File`
2024-08-16
7e93682e0
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022