fibratus/rules/defense_evasion_system_binary_proxy_execution_via_rundll32.yml at master · rabbitstack/fibratus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: System Binary Proxy Execution via Rundll32
id: 43d76718-cc46-485e-8f47-996eb7a9f83b
version: 1.0.5
description: |
  Detects the execution of rundll32.exe process with suspicious command line
  followed by the creation of a possibly malicious child process.
  Adversaries may abuse rundll32.exe to proxy execution of malicious code.
  Using rundll32.exe, vice executing directly may avoid triggering security
  tools that may not monitor execution of the rundll32.exe process because of
  allowlists or false positives from normal operations.
labels:
  tactic.id: TA0005
  tactic.name: Defense Evasion
  tactic.ref: https://attack.mitre.org/tactics/TA0005/
  technique.id: T1218
  technique.name: System Binary Proxy Execution
  technique.ref: https://attack.mitre.org/techniques/T1218/
  subtechnique.id: T1218.011
  subtechnique.name: Rundll32
  subtechnique.ref: https://attack.mitre.org/techniques/T1218/011/
references:
  - https://redcanary.com/threat-detection-report/techniques/rundll32/

condition: >
  sequence
  maxspan 1m
    |spawn_process and
     (ps.name ~= 'rundll32.exe' or ps.pe.file.name ~= 'rundll32.exe') and
      (
        ps.cmdline imatches
                  (
                    '*javascript:*',
                    '*vbscript:*',
                    '*shell32.dll*ShellExec_RunDLL*',
                    '*shell32*WaitForExplorerRestart*',
                    '*-sta*',
                    '*ActiveXObject*',
                    '*WScript.Shell*',
                    '*RunHTMLApplication*',
                    '*advpack*#12*',
                    '*advpack*RegisterOCX*',
                    '*advpack*LaunchINFSection*',
                    '*url.dll*FileProtocolHandler*file://*',
                    '*url.dll*FileProtocolHandler*.exe*',
                    '*zipfldr*RouteTheCall*',
                    '*pcwutl*LaunchApplication*',
                    '*pcwutl*#1*',
                    '*desk*InstallScreenSaver*',
                    '*PointFunctionCall*'
                  ) or
        regex(ps.cmdline, '(?i)[A-Z]:\\\\.+:.+$')
      )
    | by ps.uuid
    |spawn_process and ps.exe not imatches
                  (
                    '?:\\Program Files\\*.exe',
                    '?:\\Program Files (x86)\\*.exe'
                  )
    | by ps.parent.uuid
action:
  - name: kill

min-engine-version: 3.0.0