Monitoring network connections

Rundll32 is a Microsoft Windows system utility that provides an entry point and minimal framework for executing dynamic-link libraries (DLL). We want to monitor any network connections made by this utility.

Rule

<?xml version="1.0" encoding="utf-8"?>
<rule>
<body>
<name>Network connection by rundll32.exe started from unpopular process [A0504]</name>
<severity>Information</severity>
<parentprocess>
<condition component="LiveGrid" property="Popularity" condition="less" value="10000" />
</parentprocess>
<process>
<Condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="rundll32" />
</process>
<operations>
<operation type="TcpIpConnect">
<condition component="Network" property="Port" condition="isnotempty"/>
</operation>
</operations>

</body>
</rule>

Things to notice in the rule example above:

1.While testing the rule, we noticed that rule was triggered by printing on a network printer, which is internally handled by Rundll32. As this case is false positive, we decided to filter out Rundll32 utilities started from popular processes – usage of <parentprocess>. We could also use other filters, such as Trusted or Marked as Safe.

2.Rundll32 is matched by its common name because the process executable can be renamed. We can also match Rundll32 using the Executable OriginalFileName property.

3.As we want to monitor any network connection, we use condition="isnotempty".

˄˅