-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2014-03-006.yaml
52 lines (52 loc) · 2.12 KB
/
CAR-2014-03-006.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
---
title: RunDLL32.exe monitoring
submission_date: 2014/03/28
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2014-03-006
description: 'Adversaries may find it necessary to use [Dyanamic-link Libraries](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682589.aspx) (DLLs) to [evade defenses](https://attack.mitre.org/tactics/TA0005). One way these DLLs can be "executed" is through the use of the built-in Windows utility [RunDLL32](https://attack.mitre.org/techniques/T1218.011), which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.'
coverage:
- technique: T1218
tactics:
- TA0005
subtechniques:
- T1218.011
coverage: Moderate
implementations:
- description: 'When looking for all instances of RunDLL32, it is imperative to also have the `command_line` information, which contains the DLL information, including the name, entry point, and optional arguments.'
code: |-
process = search Process:Create
rundll32 = filter process where (exe == "rundll32.exe")
output rundll32
type: pseudocode
- description: DNIF version of the above pseudocode.
code: |-
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=rundll32.exe limit 100
type: DNIF
data_model: Sysmon native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 image="*\rundll32.exe"
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/exe
- process/create/command_line
unit_tests:
- configurations:
- Windows 7
description: Execute rundll32.exe from a command window
commands:
- 'c:\windows\syswow64\rundll32.exe'
- 'RUNDLL32.EXE SHELL32.DLL,Control_RunDLL desk.cpl,,0'
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis