Working with LiveGrid and Safe property
This rule monitors suspicious executable modules dropped from rundll32.exe. Rundll32 is a Microsoft Windows system utility that provides an entry point and minimal framework for executing dynamic load libraries.
Rule
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Rundll32 Dropped Suspicious Executable [A0310]</name> <guid>d6359e46-f318-403c-b2b5-7133dd0fd0dd</guid> <category>File system</category> <os>Windows</os> <severity>61</severity> <mitreattackid>T1218.011,T1105</mitreattackid> <explanation>Rundll32 is a Microsoft Windows system utility that provides an entry point and minimal framework for executing dynamic load libraries. The rule monitors suspicious executable modules dropped from rundll32.exe</explanation> <benignCauses>May be part of some installation process.</benignCauses> <maliciousCauses>Rundll32 is commonly misused by malware</maliciousCauses> <recommendedActions>1. Evaluate the dropped module metadata. 2. Evaluate the executable drop reason from rundll32.exe. 3. Evaluate the rundll32.exe command line and loaded modules. 4. Evaluate the parent process, its command line and execution chain.</recommendedActions> </description> <definition> <process> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="rundll32.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="RUNDLL32.exe"/> </operator> </process> <operations> <operation type="ModuleDrop"> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000"/> <condition component="LiveGrid" property="Reputation" condition="less" value="8"/> <operator type="NOT"> <operator type="OR"> <condition component="Module" property="SignatureType" condition="is" value="Trusted"/> <condition component="Enterprise" property="Safe" condition="is" value="1"/> </operator> </operator> </operator> </operation> </operations> </definition> <maliciousTarget name="module"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
Things to notice in the rule example above:
1.We used the operation ModuleDrop to detect dropped modules from rundll32.
2.To filter out most of the unwanted alerts for legitimate actions, we used three types of conditions:
a.The Popularity and Reputation properties of LiveGrid component to eliminate widely used programs and programs with good reputation.
b.The SignatureType property of Module component is Trusted.
c.The Safe property of Enterprise component is set as True. You can explicitly mark a file as safe in ESET Inspect Web Console.