Potentially Suspicious Rundll32.EXE Execution of UDL File

Rule Info

Name
Potentially Suspicious Rundll32.EXE Execution of UDL File
Author
@kostastsale
Description
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
Reference
https://trustedsec.com/blog/oops-i-udld-it-again
Date
2024-08-16 00:00:00
Modified
None
Id
0ea52357-cd59-4340-9981-c46c7e900428
Tags
attack.execution attack.t1218.011 attack.t1071
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=0ea52357-cd59-4340-9981-c46c7e900428

Rule History

Author
Title
Date
Commit
Kostas
Merge PR #4974 from @tsale - Add `Potentially Suspicious Rundll32.EXE Execution of UDL File`
2024-08-16
7e93682e0
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022