heroui logo

Potential Obfuscated Ordinal Call Via Rundll32

Sigma Rules

View Source
Summary
This detection rule targets potential obfuscated ordinal calls initiated by the Windows utility `rundll32.exe`. The `rundll32.exe` process enables the execution of functions exported from a DLL file, but it can also be misused by threat actors to execute malicious code using obfuscation techniques. The rule focuses on monitoring the creation of processes that leverage `rundll32.exe`, specifically when the command line contains obfuscation patterns (e.g., the use of `#+` or `#-`). The condition for detection is defined as "all of selection_*", meaning that all selection criteria must be met to trigger the alert. This leverages a combination of process attributes such as the image name, original file name, and the command line arguments. Being aware that malware might utilize this method helps in reducing false negatives during threat hunting activities.
Categories
  • Windows
  • Endpoint
  • Infrastructure
Data Sources
  • Process
Created: 2023-05-17