windows control panel elements have been identified as source (mmc)

t1218
t1218.011
windows
sigma

Techniques

t1218
t1218.011

Sample rules

Suspicious Call by Ordinal

source: sigma
technicques:
- t1218
- t1218.011

Description

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_edge:
  CommandLine|contains|all:
  - EDGEHTML.dll
  - '#141'
filter_vsbuild_dll:
  CommandLine|contains:
  - \FileTracker32.dll,#1
  - \FileTracker32.dll",#1
  - \FileTracker64.dll,#1
  - \FileTracker64.dll",#1
  ParentImage|contains:
  - \Msbuild\Current\Bin\
  - \VC\Tools\MSVC\
  - \Tracker.exe
selection_cli:
  CommandLine|contains:
  - ',#'
  - ', #'
  - '.dll #'
  - '.ocx #'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE