EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Advpack Call Via Rundll32.EXE

Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function

Detection Query

selection_img:
  - Image|endswith: \rundll32.exe
  - OriginalFileName: RUNDLL32.EXE
  - CommandLine|contains: rundll32
selection_cli_dll:
  CommandLine|contains: advpack
selection_cli_ordinal:
  - CommandLine|contains|all:
      - "#+"
      - "12"
  - CommandLine|contains: "#-"
condition: all of selection_*

Author

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Created

2023-05-17

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: Suspicious Advpack Call Via Rundll32.EXE
id: a1473adb-5338-4a20-b4c3-126763e2d3d3
status: test
description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
references:
    - https://twitter.com/Hexacorn/status/1224848930795552769
    - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
tags:
    - attack.defense-evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
        - CommandLine|contains: 'rundll32'
    selection_cli_dll:
        CommandLine|contains: 'advpack'
    selection_cli_ordinal:
        - CommandLine|contains|all:
              - '#+'
              - '12'
        - CommandLine|contains: '#-'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high