Suspicious ShellExec_RunDLL Call Via Ordinal

Rule Info

Name
Suspicious ShellExec_RunDLL Call Via Ordinal
Author
Swachchhanda Shrawan Poudel
Description
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
Reference
https://redcanary.com/blog/raspberry-robin/
Date
2024-12-01 00:00:00
Modified
None
Id
8823e85d-31d8-473e-b7f4-92da070f0fc6
Tags
attack.defense-evasion attack.t1218.011
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=8823e85d-31d8-473e-b7f4-92da070f0fc6

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5082 from @swachchhanda000 - Add `Suspicious ShellExec_RunDLL Call Via Ordinal`
2024-12-01
f39c9acbc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022