Potential Rundll32 Execution With DLL Stored In ADS

Rule Info

Name
Potential Rundll32 Execution With DLL Stored In ADS
Description
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Modified
2023-01-23 00:00:00
Date
2023-01-21 00:00:00
Author
Harjot Singh, '@cyb3rjy0t'
Tags
attack.defense_evasion DEMO attack.t1564.004
Id
9248c7e1-2bf3-4661-a22c-600a8040b446
Type
Community Rule

Rule History

Author
Commit
Title
Date
phantinuss
fix: sharpen regex to not match default windows rundll32 usage
2023-01-23
Nasreddine Bencherchali
fix: update regex
2023-01-21
Nasreddine Bencherchali
fix: apply suggestions from code review
2023-01-20
frack113
Update proc_creation_win_ads_stored_dll_execution_rundll32.yml
2023-01-16
frack113
Add exe to avoid FP
2023-01-16
cyb3rjy0t
Update rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
2023-01-15
cyb3rjy0t
ADS stored DLL execution using Rundll32
2023-01-11