Date: 02/27/2025
Severity: Medium
Summary
Detects the execution of "rundll32" with potentially obfuscated ordinal function calls.
Indicators of Compromise (IOC) List
Image : | '\rundll32.exe' |
Original Filename : | 'RUNDLL32.EXE' |
CommandLine : | 'Rundll32' - '#+' - '#-' # ordinal can be represented by adding any number of zeros in front ordinal number, for e.g. 000000024 - '#0' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around. # for e.g ordinal 24 can be also represented by 65560 (65536+24) - '#655' - '#656' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | (resourcename = "Windows Security" AND eventtype = "4688" ) AND (processname like "rundll32.exe" AND originalfilename like "RUNDLL32.EXE" AND commandline like "rundll32") AND (commandline like "#+" or commandline like "#-" or commandline like "#0" or commandline like "#655" or commandline like "#656" ) |
Detection Query : | (technologygroup = "EDR" ) AND (processname like "rundll32.exe" AND originalfilename like "RUNDLL32.EXE" AND commandline like "rundll32") AND (commandline like "#+" or commandline like "#-" or commandline like "#0" or commandline like "#655" or commandline like "#656" ) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml