Date: 08/19/2024
Severity: Medium
Summary
Detect the use of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors may exploit this method as a phishing vector to steal authentication credentials or other sensitive information.
Indicators of Compromise (IOC) List
ParentImage | '\explorer.exe' |
Image | '\rundll32.exe' |
OriginalFileName | 'RUNDLL32.EXE' |
CommandLine | 'oledb32.dll' ',OpenDSLFile ' '\\Users\\*\\Downloads\\' '.udl' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((((resourceName = "Sysmon" AND eventtype = "1" ) AND parentimage = "\\explorer.exe" ) AND image = "\\rundll32.exe" ) AND originalfilename = "RUNDLL32.EXE" ) AND commandline In ("oledb32.dll" , ",OpenDSLFile" , "\\Users\\*\\Downloads" ,".udl") |
Detection Query 2 | ((((technologygroup = "EDR" ) AND parentimage = "\\explorer.exe" ) AND image = "\\rundll32.exe" ) AND originalfilename = "RUNDLL32.EXE" ) AND commandline In ("oledb32.dll" , ",OpenDSLFile" , "\\Users\\*\\Downloads" ,".udl") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml
https://trustedsec.com/blog/oops-i-udld-it-again