LoFP / udl files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.

Techniques

• t1071
• t1218
• t1218.011

Sample rules

Potentially Suspicious Rundll32.EXE Execution of UDL File

• source: sigma
• technicques:
  • t1071
  • t1218
  • t1218.011

Description

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - oledb32.dll
  - ',OpenDSLFile '
  - \\Users\\*\\Downloads\\
  CommandLine|endswith: .udl
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
selection_parent:
  ParentImage|endswith: \explorer.exe