From 09e6b0503365e73c40459fb9c3c8ea43d13f4f56 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Sat, 10 Oct 2020 10:08:02 -0300
Subject: [PATCH] Update win_susp_rundll32_activity.yml

---
 .../win_susp_rundll32_activity.yml            | 70 ++++++++++++++-----
 1 file changed, 52 insertions(+), 18 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml
index d3afc3ee7..f04faf4d7 100644
--- a/rules/windows/process_creation/win_susp_rundll32_activity.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml
@@ -18,26 +18,60 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:
-            - 'url.dll*OpenURL'
-            - 'url.dll*OpenURLA'
-            - 'url.dll*FileProtocolHandler'
-            - 'zipfldr.dll*RouteTheCall'
-            - 'shell32.dll*Control_RunDLL'
-            - 'shell32.dll*ShellExec_RunDLL'
+        - CommandLine|contains:
             - 'javascript:'
             - '.RegisterXLL'
-            - 'mshtml.dll*PrintHTML'
-            - 'advpack.dll*LaunchINFSection'
-            - 'advpack.dll*RegisterOCX'
-            - 'ieadvpack.dll*LaunchINFSection'
-            - 'ieadvpack.dll*RegisterOCX'
-            - 'ieframe.dll*OpenURL'
-            - 'shdocvw.dll*OpenURL'
-            - 'syssetup.dll*SetupInfObjectInstallAction'
-            - 'setupapi.dll*InstallHinfSection'
-            - 'pcwutl.dll*LaunchApplication'
-            - 'dfshim.dll*ShOpenVerbApplication'
+        - CommandLine|contains|all:
+            - 'url.dll'
+            - 'OpenURL'
+        - CommandLine|contains|all:
+            - 'url.dll'
+            - 'OpenURLA'
+        - CommandLine|contains|all:
+            - 'url.dll'
+            - 'FileProtocolHandler'
+        - CommandLine|contains|all:
+            - 'zipfldr.dll'
+            - 'RouteTheCall'
+        - CommandLine|contains|all:
+            - 'shell32.dll'
+            - 'Control_RunDLL'
+        - CommandLine|contains|all:
+            - 'shell32.dll'
+            - 'ShellExec_RunDLL'
+        - CommandLine|contains|all:
+            - 'mshtml.dll'
+            - 'PrintHTML'
+        - CommandLine|contains|all:
+            - 'advpack.dll'
+            - 'LaunchINFSection'
+        - CommandLine|contains|all:
+            - 'advpack.dll'
+            - 'RegisterOCX'
+        - CommandLine|contains|all:
+            - 'ieadvpack.dll'
+            - 'LaunchINFSection'
+        - CommandLine|contains|all:
+            - 'ieadvpack.dll'
+            - 'RegisterOCX'
+        - CommandLine|contains|all:
+            - 'ieframe.dll'
+            - 'OpenURL'
+        - CommandLine|contains|all:
+            - 'shdocvw.dll'
+            - 'OpenURL'
+        - CommandLine|contains|all:
+            - 'syssetup.dll'
+            - SetupInfObjectInstallAction'
+        - CommandLine|contains|all:
+            - 'setupapi.dll'
+            - 'InstallHinfSection'
+        - CommandLine|contains|all:
+            - 'pcwutl.dll'
+            - 'LaunchApplication'
+        - CommandLine|contains|all:
+            - 'dfshim.dll'
+            - 'ShOpenVerbApplication'
     condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment