From a4e6f58b16d05e277f5caeded2633167c3e90120 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 27 May 2021 17:49:10 +0200
Subject: [PATCH] rule: suspicious programs - no DLL in command line

---
 .../win_susp_procs_req_dlls.yml               | 33 +++++++++++++++++++
 .../win_susp_rundll32_no_params.yml           | 27 +++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_procs_req_dlls.yml
 create mode 100644 rules/windows/process_creation/win_susp_rundll32_no_params.yml

diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml
new file mode 100644
index 000000000..955d6f6f6
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml
@@ -0,0 +1,33 @@
+title: Suspicious Process Start Without DLL
+id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
+description: Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity
+status: experimental
+references:
+    - https://twitter.com/CyberRaiju/status/1251492025678983169
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
+    - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
+    - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
+author: Florian Roth
+date: 2021/05/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|endswith: 
+            - '\rundll32.exe'
+            - '\regsvcs.exe'
+            - '\regasm.exe'
+            - '\regsvr32.exe'
+    filter1:
+        ParentImage|contains: 
+            - '\AppData\Local\Temp\'
+            - '\Microsoft\Edge\'
+    condition: selection and not filter1
+fields:
+    - ParentImage
+    - ParentCommandLine
+falsepositives:
+    - Possible but rare
+level: high
diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
new file mode 100644
index 000000000..f9a961510
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
@@ -0,0 +1,27 @@
+title: Suspicious Rundll32 Without Any CommandLine Params
+id: 1775e15e-b61b-4d14-a1a3-80981298085a
+description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
+status: experimental
+references:
+    - https://www.cobaltstrike.com/help-opsec
+author: Florian Roth
+date: 2021/05/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|endswith: '\rundll32.exe'
+    filter1:
+        ParentImage|endswith: '\svchost.exe'
+    filter2:
+        ParentImage|contains: 
+            - '\AppData\Local\Temp\'
+            - '\Microsoft\Edge\'
+    condition: selection and not filter1 and not filter2
+fields:
+    - ParentImage
+    - ParentCommandLine
+falsepositives:
+    - Possible but rare
+level: high