Create SignedBinaryProxyExecutionRundll32.yaml

Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml

@@ -0,0 +1,43 @@
+id: c2074fce-b5ba-4c0a-9332-d08b8fc43c53
+name: Rundll32 (LOLBins and LOLScripts)
+description: |
+  'This detection uses Sysmon telemetry to hunt Signed Binary Proxy Execution: Rundll32 activities'
+
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Defense Evasion
+relevantTechniques:
+  - T1218.011
+
+query: |
+  let timeframe = 1d;
+  Event
+  //This query uses sysmon data depending on table name used this may need updataing
+  | where TimeGenerated >= ago(timeframe)
+  | where Source == "Microsoft-Windows-Sysmon"
+  | where EventID == 1
+  | extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
+  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
+  | mv-expand bagexpansion=array EventData
+  | evaluate bag_unpack(EventData)
+  | extend Key=tostring(['@Name']), Value=['#text']
+  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
+  | extend RuleName = column_ifexists("RuleName", ""), TechniqueId = column_ifexists("TechniqueId", ""),  TechniqueName = column_ifexists("TechniqueName", "")
+  | parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName
+  | where Image has "rundll32.exe"
+  // Uncomment the next line and add your commandLine Whitelisted/ignore terms.For example "payload.dll"
+  // | where CommandLine !contains ("payload.dll") 
+  | extend HostCustomEntity = Computer, AccountCustomEntity = UserName
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity