Merge pull request #4021 from qasimqlf/patch-29

feat: add `OriginalFileName`

rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml

@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Rundll32
 author: Harjot Singh, '@cyb3rjy0t'
 date: 2023/01/21
-modified: 2023/01/23
+modified: 2023/02/08
 tags:
     - attack.defense_evasion
     - attack.t1564.004
@@ -14,13 +14,15 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\rundll32.exe'
+    selection_img:
+        - Image|endswith: '\rundll32.exe'
+        - OriginalFileName: 'RUNDLL32.EXE'
+    selection_cli:
         # Example:
         #   rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
         # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
         CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high