Techniques
Sample rules
Windows Rundll32 Execution With Log.DLL
- source: splunk
- technicques:
- T1574
Description
Identifies the execution of rundll32 with a command line argument of “log.dll”, as used in the Lotus Blossom Chrysalis backdoor campaign. Attackers placed a malicious “log.dll” in “%AppData%\Bluetooth” and invoked it via rundll32.exe “log.dll,LogInit” to decrypt and execute ShellCode. The legitimate Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) also uses log.dll and is vulnerable to DLL sideloading.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_rundll32`
Processes.process="* log.dll*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_rundll32_execution_with_log_dll_filter`