/
executedllwithspoofedextension.yml
43 lines (42 loc) · 1.42 KB
/
executedllwithspoofedextension.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
title: Execute DLL with spoofed extension
status: experimental
description: Execute DLL with spoofed extension
author: Joe Security
date: 2020-03-24
id: 200068
threatname:
behaviorgroup: 1
classification: 8
mitreattack:
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*rundll32*.html,DllRegisterServer*'
- '*rundll32*.htm,DllRegisterServer*'
- '*rundll32*.txt,DllRegisterServer*'
- '*rundll32*.png,DllRegisterServer*'
- '*rundll32*.jpeg,DllRegisterServer*'
- '*rundll32*.jpg,DllRegisterServer*'
- '*rundll32 c:\programdata\\*.pdf*'
- '*rundll32 c:\programdata\\*.txt*'
- '*rundll32 c:\programdata\\*.jpg*'
- '*rundll32 c:\programdata\\*.png*'
- '*rundll32 c:\programdata\\*.jpeg*'
- '*rundll32 c:\users\public\\*.pdf*'
- '*rundll32 c:\users\public\\*.txt*'
- '*rundll32 c:\users\public\\*.jpg*'
- '*rundll32 c:\users\public\\*.png*'
- '*rundll32 c:\users\public\\*.jpeg*'
- '*rundll32*\\*.pdf*'
- '*rundll32*\\*.txt*'
- '*rundll32*\\*.jpg*'
- '*rundll32*\\*.png*'
- '*rundll32*\\*.jpeg*'
- '*rundll32*\\*.dat*'
selection1:
- '*rundll32*.Data*'
condition: selection and not selection1
level: critical