From 37cea85072d0da249c39171285339a2ce656d652 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 4 Nov 2017 14:44:16 +0100
Subject: [PATCH] Rundll32.exe suspicious network connections

---
 .../sysmon_rundll32_net_connections.yml       | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_rundll32_net_connections.yml

diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml
new file mode 100644
index 000000000..cc41ae14a
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml
@@ -0,0 +1,22 @@
+title: Rundll32 Internet Connection
+status: experimental
+description: Detects a rundll32 that communicates with piblic IP addresses
+reference: https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
+author: Florian Roth
+date: 2017/11/04
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 3
+        Image: '*\rundll32.exe'
+    filter:
+        DestinationIp: 
+            - '10.*'
+            - '192.168.*'
+            - '172.*'
+    condition: selection and not filter
+falsepositives:
+    - Communication to other corporate systems that use IP addresses from public address spaces
+level: medium
\ No newline at end of file