sigmamediumHunting

Suspicious Workstation Locking via Rundll32

Detects a suspicious call to the user32.dll function that locks the user workstation

Detection Query

selection_call_img:
  - Image|endswith: \rundll32.exe
  - OriginalFileName: RUNDLL32.EXE
selection_call_parent:
  ParentImage|endswith: \cmd.exe
selection_call_cli:
  CommandLine|contains: user32.dll,
selection_function:
  CommandLine|contains: LockWorkStation
condition: all of selection_*

Author

frack113

Created

2022-06-04

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/

Tags

attack.defense-evasion

Raw Content

title: Suspicious Workstation Locking via Rundll32
id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc
status: test
description: Detects a suspicious call to the user32.dll function that locks the user workstation
references:
    - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/
author: frack113
date: 2022-06-04
modified: 2023-02-09
tags:
    - attack.defense-evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection_call_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_call_parent:
        ParentImage|endswith: '\cmd.exe'
    selection_call_cli:
        CommandLine|contains: 'user32.dll,'
    selection_function:
        CommandLine|contains: 'LockWorkStation'
    condition: all of selection_*
falsepositives:
    - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option
level: medium