(SIGMA) SIGMA_spoofed_extension

Download Raw

title: Execute DLL with spoofed extension
status: experimental
description: Execute DLL with spoofed extension
author: Joe Security
date: 2020-03-24
id: 200068
threatname:
behaviorgroup: 1
classification: 8
mitreattack:

logsource:
      category: process_creation
      product: windows
detection:
      selection:      
          CommandLine:
              - '*rundll32*.html,DllRegisterServer*'
              - '*rundll32*.htm,DllRegisterServer*'
              - '*rundll32*.txt,DllRegisterServer*'
              - '*rundll32*.png,DllRegisterServer*'
              - '*rundll32*.jpeg,DllRegisterServer*'
              - '*rundll32*.jpg,DllRegisterServer*'
              - '*regsvr32 c:\programdata\\*.pdf*'
              - '*regsvr32 c:\programdata\\*.txt*'
              - '*regsvr32 c:\users\public\\*.pdf*'
              - '*regsvr32 c:\users\public\\*.txt*'
              
      condition: selection
level: critical

Associated Techniques