Suspicious Call by Ordinal

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

Rule Content

- title: Suspicious Call by Ordinal
  id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
  description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
  status: experimental
  references:
  - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
  - https://github.com/Neo23x0/DLLRunner
  - https://twitter.com/cyb3rops/status/1186631731543236608
  tags:
  - attack.defense_evasion
  - attack.execution
  - attack.t1085
  author: Florian Roth
  date: 2019/10/22
  logsource:
    category: process_creation
    product: windows
    service: null
  detection:
    selection:
      CommandLine: '*\rundll32.exe *,#*'
    condition: selection
  falsepositives:
  - False positives depend on scripts and administrative tools used in the monitored
    environment
  - Windows contol panel elements have been identified as source (mmc)
  level: high

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='process_command_line.keyword:*\\rundll32.exe\ *,#*')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()