rules/windows/process_creation/win_susp_control_dll_load.yml

title: Suspicious Control Panel DLL Load
id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
status: experimental
description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
author: Florian Roth
date: 2017/04/15
references:
    - https://twitter.com/rikvduijn/status/853251879320662017
tags:
    - attack.defense_evasion
    - attack.t1073
    - attack.t1085
    - car.2013-10-002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: '*\System32\control.exe'
        CommandLine: '*\rundll32.exe *'
    filter:
        CommandLine: '*Shell32.dll*'
    condition: selection and not filter
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unknown
level: high
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`title: Suspicious Control Panel DLL Load`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`status: experimental`
			`description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits`
			`author: Florian Roth`
			`date: 2017/04/15`
			`references:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- https://twitter.com/rikvduijn/status/853251879320662017`
Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1073`
			`- attack.t1085`
First Pass 2019-06-13 23:15:38 -05:00			`- car.2013-10-002`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`logsource:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`detection:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`selection:`
			`ParentImage: '*\System32\control.exe'`
			`CommandLine: '\rundll32.exe '`
			`filter:`
			`CommandLine: 'Shell32.dll'`
			`condition: selection and not filter`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`fields:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- CommandLine`
			`- ParentCommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`falsepositives:`
Increased indentation to 4 2019-03-02 00:14:20 +01:00			`- Unknown`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00			`level: high`