Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Rule: Potentially Suspicious Rundll32.EXE Execution of UDL File #4974

Merged
merged 5 commits into from
Aug 16, 2024
Merged

New Rule: Potentially Suspicious Rundll32.EXE Execution of UDL File #4974

merged 5 commits into from
Aug 16, 2024

Conversation

tsale
Copy link
Contributor

@tsale tsale commented Aug 16, 2024
edited by nasbench
Loading

Summary of the Pull Request

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse the technique as a phishing vector to capture authentication credentials or other sensitive data.

Changelog

new: Potentially Suspicious Rundll32.EXE Execution of UDL File

Example Log Event

Type: Process Create
Image: C:\Windows\System32\rundll32.exe
ParentCommandLine: C:\Windows\Explorer.EXE
ParentUser: DESKTOP-20KZ31\admin
CurrentDirectory: C:\
CommandLine: "Rundll32.exe" "C:\Program Files\Common Files\System\OLE DB\oledb32.dll",OpenDSLFile C:\connection_test_test_gmail.com.udl
ParentImage: C:\Windows\explorer.exe
PID: 10976
User: DESKTOP-20KZ31\admin

Legitimate use of UDL files by administrative users or software that leverages OLE DB connections. Verification of such activity is required to distinguish between benign and malicious activity.

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Aug 16, 2024
@nasbench
Copy link
Member

Thanks for the contribution @tsale

@nasbench nasbench changed the title New Rule: Suspicious Rundll32 Execution of UDL File New Rule: Potentially Suspicious Rundll32.EXE Execution of UDL File Aug 16, 2024
@nasbench nasbench merged commit 7e93682 into SigmaHQ:master Aug 16, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

Assignees
No one assigned
Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tsale @nasbench