Rundll32 Execution With Uncommon DLL Extension

Title: Rundll32 Execution With Uncommon DLL Extension
Status: test
Description:Detects the execution of rundll32 with a command line that doesn't contain a common extension
References:
  -https://twitter.com/mrd0x/status/1481630810495139841?s=12
Author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
Date: 2022-01-13
modified:2024-04-04
Tags:

• -'attack.defense-evasion'
• -'attack.t1218.011'

Logsource:

• category: process_creation
• product: windows

Detection:
  selection:
Image|endswith:'\rundll32.exe' OriginalFileName:'RUNDLL32.EXE'   filter_main_null:
    CommandLine: 'None'
  filter_main_empty:
    CommandLine: ''
  filter_main_known_extension:
    - CommandLine|contains:
      - '.cpl '
      - '.cpl,'
      - '.cpl"'
      - '.cpl''
      - '.dll '
      - '.dll,'
      - '.dll"'
      - '.dll''
      - '.inf '
      - '.inf,'
      - '.inf"'
      - '.inf''
    - CommandLine|endswith:
      - '.cpl'
      - '.dll'
      - '.inf'
  filter_main_localserver:
    CommandLine|contains: ' -localserver '
  filter_main_zzzzInvokeManagedCustomActionOutOfProc:
    ParentImage|endswith: '\msiexec.exe'
    CommandLine|contains|all:
      -':\Windows\Installer\'
      -'.tmp'
      -'zzzzInvokeManagedCustomActionOutOfProc'

  filter_optional_EdgeUpdate:
    ParentCommandLine|contains|all:
      -':\Users\'
      -'\AppData\Local\Microsoft\EdgeUpdate\Install\{'
      -'\EDGEMITMP_'
      -'.tmp\setup.exe'
      -'--install-archive='
      -'--previous-version='
      -'--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'

  condition:selection and not 1 of filter_main_* and not 1 of filter_optional_*
Falsepositives:
  -Unknown
Level: medium