security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md
T
Terrance DeJesus 70411664cf [Bug] Normalize Hunting Index Link Generation (#3872) 
* normalizing hunting link generation

* replacing header

* adjusting quotes in f-strings

* added source file to metadata

* removed os dependency

* address bug in source file links

* reverting TOML loading

* change all List type hinting to list

* change all List type hinting to list

* fixed accented characters in queries

* reverted accent character removal; moved macos query and MD to macos folder
2024-07-10 11:01:59 -04:00

3.0 KiB
Raw Blame History

Rundll32 Execution Aggregated by Command Line

Metadata

  • Author: Elastic

  • Description: This hunt aggregate Rundll32 execution by normalized process.command_line and returns instances that are unique by frequency. Rundll32 is one of the most abused binaries to proxy execution of malicious commands and modules.

  • UUID: 44e6adc6-e183-4bfa-b06d-db41669641fa

  • Integration: endpoint, windows, system

  • Language: [ES|QL]

  • Source File: Rundll32 Execution Aggregated by Command Line

Query

from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*
| where  @timestamp > now() - 7 day
| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and
  to_lower(process.name) == "rundll32.exe" and
  not process.command_line rlike """.*(zzzzInvokeManagedCustomActionOutOfProc|GeneralTel.dll,RunInUserCxt|ShOpenVerbApplication|davclnt.dll,DavSetCookie|FileProtocolHandler|EDGEHTML.dll|FirewallControlPanel.dll,ShowNotificationDialog|printui.dll,PrintUIEntryDPIAware|Program Files|SHCreateLocalServerRunDll|ImageView_Fullscreen|StatusMonitorEntryPoint|Control_RunDLL|HotPlugSafeRemovalDriveNotification|AppxDeploymentClient.dll|acproxy.dll,PerformAutochkOperations|CapabilityAccessManagerDoStoreMaintenance|dfshim.dll|display.dll,ShowAdapterSettings|ForceProxyDetectionOnNextRun|PfSvWsSwapAssessmentTask|acmigration.dll,ApplyMigrationShims|LenovoBatteryGaugePackage.dll|-localserver|DriverStore|CnmDxPEntryPoint|DeferredDelete|DeviceProperties_RunDLL|AppxDeploymentClient.dll|spool\\DRIVERS|printui.dll,PrintUIEntry|DfdGetDefaultPolicyAndSMART|cryptext.dll,CryptExt|WininetPlugin.dll|ClearMyTracksByProcess|SusRunTask|OpenURL|CleanupTemporaryState).*"""
| keep process.parent.name, process.command_line, host.id
| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\")
| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
| stats hosts =count_distinct(host.id), total = count() by cmdline, process.parent.name
| where hosts == 1

Notes

  • Execution of DLLs from suspicious paths or with suspicious export function names or from suspicious parent should be further reviewed.
  • Parents such as svchost, explorer.exe, wmiprvse.exe, winword.exe and others should be carefully reviewed.

MITRE ATT&CK Techniques

License

  • Elastic License v2
Reference in New Issue View Git Blame Copy Permalink