DLL Execution Via Rundll32.EXE From Uncommon Paths

Rule Info

Name
DLL Execution Via Rundll32.EXE From Uncommon Paths
Author
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of a DLL via the Rundll32 utility where the DLL is located in an uncommon and potentially suspicious location. Attackers often drop DLLs in non common locations to avoid detections and filters.
Reference
https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Date
2024-02-28 00:00:00
Modified
2025-02-25 00:00:00
Id
35070bc6-141a-4b81-af31-d27b66980c47
Tags
detection.emerging-threats attack.defense-evasion attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022