From 644dfd762016c24badf8a39230b9870097e43682 Mon Sep 17 00:00:00 2001
From: cyb3rjy0t <cyberjyot@gmail.com>
Date: Wed, 11 Jan 2023 21:34:52 -0500
Subject: [PATCH] ADS stored DLL execution using Rundll32

---
 ..._win_ads_stored_dll_execution_rundll32.yml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml

diff --git a/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml b/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
new file mode 100644
index 000000000..ad6ea6a97
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
@@ -0,0 +1,22 @@
+title: Suspicious Alternate Data Stream Execution Via RunDLL32
+id: 9248c7e1-2bf3-4661-a22c-600a8040b446
+status: experimental
+description: Execution of DLL's stored in alternate data stream using RunDLL32
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Rundll32
+author: Harjot Singh, '@cyb3rjy0t'
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|re: '.+\:.+\..+\:.+\..+\,.+$'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high