← Back to Explore
sigmamediumHunting
Potentially Suspicious Rundll32.EXE Execution of UDL File
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
Detection Query
selection_parent:
ParentImage|endswith: \explorer.exe
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
selection_cli:
CommandLine|contains|all:
- oledb32.dll
- ",OpenDSLFile "
- \\Users\\*\\Downloads\\
CommandLine|endswith: .udl
condition: all of selection_*
Author
@kostastsale
Created
2024-08-16
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.defense-evasionattack.executionattack.command-and-controlattack.t1218.011attack.t1071
Raw Content
title: Potentially Suspicious Rundll32.EXE Execution of UDL File
id: 0ea52357-cd59-4340-9981-c46c7e900428
status: test
description: |
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
references:
- https://trustedsec.com/blog/oops-i-udld-it-again
author: '@kostastsale'
date: 2024-08-16
tags:
- attack.defense-evasion
- attack.execution
- attack.command-and-control
- attack.t1218.011
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'oledb32.dll'
- ',OpenDSLFile '
- '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment.
CommandLine|endswith: '.udl'
condition: all of selection_*
falsepositives:
- UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
level: medium