splApache-2.0from splunk/security_content

Windows Application Whitelisting Bypass Attempt via Rundll32

The following analytic detects the execution of rundll32.exe calling one of the following DLLs: - Advpack.dll - Ieadvpack.dll - Syssetup.dll - Setupapi.dll with one of the following functions: "LaunchINFSection", "InstallHinfSection", "SetupInfObjectInstallAction". This method is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control or whitelisting bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate the script content, network connections, and any spawned child processes for further context.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.