Monitoring network connections
Rundll32 is a Microsoft Windows system utility that provides an entry point and minimal framework for executing dynamic-link libraries (DLL). We want to monitor any network connections made by this utility.
Rule
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>External Network Connection from rundll32.exe with Unpopular Parent [A0504b]</name> <category>Communication</category> <os>Windows</os> <severity>48</severity> <mitreattackid>T1218.011</mitreattackid> <explanation>Rundll32 is a Microsoft Windows system utility that provides an entry point and minimal framework for executing dynamic load libraries. The rule monitors network connections to public range IP addresses from Rundll32 that was started from an unpopular process.</explanation> <benignCauses>This usually happens when benign less popular software prints on the network printer.</benignCauses> <maliciousCauses>Often used by script malware for downloading or reporting</maliciousCauses> <recommendedActions>1. Evaluate the parent process, its command line and execution chain. 2. Evaluate the target IP, check events for creating, modifying and executing files by the script interpreter. 3. If a suspicious activity is detected, start the incident response process (for example, disconnect the computer from the internet, update your antivirus product and scan the computer for malware, send samples for analysis, block module, etc.).</recommendedActions> </description> <definition> <parentprocess> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000"/> <operator type="NOT"> <operator type="OR"> <condition component="Module" property="SignatureType" condition="is" value="Trusted"/> <condition component="Enterprise" property="Safe" condition="is" value="1"/> </operator> </operator> </operator> </parentprocess> <process> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="rundll32.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="RUNDLL32.exe"/> </operator> </process> <operations> <operation type="TcpIpConnect"> <operator type="OR"> <operator type="NOT"> <operator type="OR"> <condition component="Network" property="IpAddressV4" condition="is" value="10.0.0.0/8"/> <condition component="Network" property="IpAddressV4" condition="is" value="172.16.0.0/12"/> <condition component="Network" property="IpAddressV4" condition="is" value="192.168.0.0/16"/> <condition component="Network" property="IpAddressV4" condition="is" value="127.0.0.0/8"/> </operator> </operator> <operator type="NOT"> <operator type="OR"> <condition component="Network" property="IpAddressV6" condition="is" value="fc00::/7"/> <condition component="Network" property="IpAddressV6" condition="is" value="::1/128"/> </operator> </operator> </operator> </operation> </operations> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
Things to notice in the rule example above:
1.While testing the rule, we noticed that rule was triggered by printing on a network printer, which is internally handled by Rundll32. As this case is false positive, we decided to filter out Rundll32 utilities started from popular processes – usage of <parentprocess>. We could also use other filters, such as Trusted or Marked as Safe.
2.Rundll32 is matched by its common name because the process executable can be renamed. We can also match Rundll32 using the Executable OriginalFileName property.
3.As we want to monitor network connection, we use TcpIpConnect operation.