Potential Rundll32 Execution With DLL Stored In ADS

Rule Info

Name
Potential Rundll32 Execution With DLL Stored In ADS
Description
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Reference
https://lolbas-project.github.io/lolbas/Binaries/Rundll32
Modified
2023-01-23 00:00:00
Date
2023-01-21 00:00:00
Author
Harjot Singh, '@cyb3rjy0t'
Tags
attack.defense_evasion DEMO attack.t1564.004
Id
9248c7e1-2bf3-4661-a22c-600a8040b446
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9248c7e1-2bf3-4661-a22c-600a8040b446

Rule History

Author
Commit
Title
Date
phantinuss
628f616db
fix: sharpen regex to not match default windows rundll32 usage
2023-01-23
Nasreddine Bencherchali
585f3a2f3
fix: update regex
2023-01-21
Nasreddine Bencherchali
a98698f6a
fix: apply suggestions from code review
2023-01-20
frack113
a52d200c5
Update proc_creation_win_ads_stored_dll_execution_rundll32.yml
2023-01-16
frack113
3d0a72d67
Add exe to avoid FP
2023-01-16
cyb3rjy0t
510ef7624
Update rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
2023-01-15
cyb3rjy0t
644dfd762
ADS stored DLL execution using Rundll32
2023-01-11
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022