Techniques
Sample rules
Suspicious Workstation Locking via Rundll32
- source: sigma
- technicques:
Description
Detects a suspicious call to the user32.dll function that locks the user workstation
Detection logic
condition: all of selection_*
selection_call_cli:
CommandLine|contains: user32.dll,
selection_call_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
selection_call_parent:
ParentImage|endswith: \cmd.exe
selection_function:
CommandLine|contains: LockWorkStation