rundll32.exe with zzzzinvokemanagedcustomactionoutofproc in command line and msiexec.exe as parent process - https://twitter.com/sbousseaden/status/1388064061087260675

t1218
windows
sigma

Techniques

t1218

Sample rules

Suspicious DotNET CLR Usage Log Artifact

source: sigma
technicques:
- t1218

Description

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_rundll32:
  CommandLine|contains|all:
  - Temp
  - zzzzInvokeManagedCustomActionOutOfProc
  Image|endswith: \rundll32.exe
  ParentCommandLine|contains: ' -Embedding'
  ParentImage|endswith: \MsiExec.exe
selection:
  TargetFilename|endswith:
  - \UsageLogs\cmstp.exe.log
  - \UsageLogs\cscript.exe.log
  - \UsageLogs\mshta.exe.log
  - \UsageLogs\msxsl.exe.log
  - \UsageLogs\regsvr32.exe.log
  - \UsageLogs\rundll32.exe.log
  - \UsageLogs\svchost.exe.log
  - \UsageLogs\wscript.exe.log
  - \UsageLogs\wmic.exe.log