sigmamediumHunting

Rundll32 Internet Connection

Detects a rundll32 that communicates with public IP addresses

MITRE ATT&CK

defense-evasionexecution

Detection Query

selection:
  Image|endswith: \rundll32.exe
  Initiated: "true"
filter_main_local_ranges:
  DestinationIp|cidr:
    - 127.0.0.0/8
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 169.254.0.0/16
    - ::1/128
    - fe80::/10
    - fc00::/7
filter_main_ms_ranges:
  DestinationIp|cidr:
    - 20.0.0.0/8
    - 51.103.0.0/16
    - 51.104.0.0/16
    - 51.105.0.0/16
filter_main_app_sdb:
  CommandLine|endswith: \system32\PcaSvc.dll,PcaPatchSdbTask
filter_main_azure_managed:
  SourceHostname|endswith: .internal.cloudapp.net
filter_main_svchost_update_processes:
  ParentImage: C:\Windows\System32\svchost.exe
  DestinationPort: 443
condition: selection and not 1 of filter_main_*

Author

Florian Roth (Nextron Systems)

Created

2017-11-04

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100

Tags

attack.defense-evasionattack.t1218.011attack.execution

Raw Content

title: Rundll32 Internet Connection
id: cdc8da7d-c303-42f8-b08c-b4ab47230263
status: test
description: Detects a rundll32 that communicates with public IP addresses
references:
    - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-11-04
modified: 2024-03-13
tags:
    - attack.defense-evasion
    - attack.t1218.011
    - attack.execution
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_main_ms_ranges:
        DestinationIp|cidr:
            - '20.0.0.0/8' # Microsoft range, caused some FPs
            - '51.103.0.0/16' # Microsoft AS8075 range, caused some FPs
            - '51.104.0.0/16' # Microsoft AS8075 range, caused some FPs
            - '51.105.0.0/16' # Microsoft AS8075 range, caused some FPs
    filter_main_app_sdb:
        CommandLine|endswith: '\system32\PcaSvc.dll,PcaPatchSdbTask'
    filter_main_azure_managed:
        SourceHostname|endswith: '.internal.cloudapp.net'
    filter_main_svchost_update_processes:
        # Note: This require "ParentImage" data enrichment.
        ParentImage: 'C:\Windows\System32\svchost.exe'
        DestinationPort: 443
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Communication to other corporate systems that use IP addresses from public address spaces
level: medium