Suspicious Rundll32 Execution With Image Extension

Rule Info

Name
Suspicious Rundll32 Execution With Image Extension
Author
Hieu Tran
Description
Detects the execution of Rundll32.exe with DLL files masquerading as image files
Reference
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
Date
2023-03-13 00:00:00
Modified
None
Id
4aa6040b-3f28-44e3-a769-9208e5feb5ec
Tags
attack.defense-evasion attack.t1218.011
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=4aa6040b-3f28-44e3-a769-9208e5feb5ec

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4700 from @nasbench - Promote older rules status from `experimental` to `test`
2024-02-01
367ebd939
Hieu Tran
feat: new rules related to ZScaler blog - OneNote: A Growing Threat for Malware Distribution (#4111)
2023-03-17
0e934bd4b
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022