Added ordinal of ShellExec_RunDLL

rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml

@@ -3,6 +3,8 @@ id: d87bd452-6da1-456e-8155-7dc988157b7d
 related:
     - id: 36c5146c-d127-4f85-8e21-01bf62355d5a
       type: obsolete
+    - id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
+      type: similar
 status: test
 description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
 references:
@@ -22,16 +24,16 @@ detection:
         CommandLine|contains: 'ShellExec_RunDLL'
     selection_suspcli:
         CommandLine|contains:
-            # Add more LOLBINs and Susp Paths
-            - 'regsvr32'
-            - 'msiexec'
-            - '\Users\Public\'
-            - 'odbcconf'
+            # Note: The ordinal number may differ depending on the DLL version
             - '\Desktop\'
             - '\Temp\'
-            - 'Invoke-'
-            - 'iex'
+            - '\Users\Public\'
             - 'comspec'
+            - 'iex'
+            - 'Invoke-'
+            - 'msiexec'
+            - 'odbcconf'
+            - 'regsvr32'
     condition: all of selection_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml

@@ -0,0 +1,68 @@
+title: Suspicious ShellExec_RunDLL Call Via Ordinal
+id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
+related:
+    - id: d87bd452-6da1-456e-8155-7dc988157b7d
+      type: derived
+status: experimental
+description: |
+    Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
+    Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
+references:
+    - https://redcanary.com/blog/raspberry-robin/
+    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
+    - https://github.com/SigmaHQ/sigma/issues/1009
+    - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
+author: Swachchhanda Shrawan Poudel
+date: 2024-12-01
+tags:
+    - attack.defense-evasion
+    - attack.t1218.011
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent_img:
+        ParentCommandLine|contains: 'SHELL32.DLL'
+    selection_parent_ordinal:
+        ParentCommandLine|contains:
+            # Note: The ordinal number may differ depending on the DLL version
+            # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
+            - '#568'
+            - '#570'
+            - '#572'
+            - '#576'
+    selection_susp_cli_parent:
+        # Note: Add additional binaries and suspicious paths to increase coverage
+        - ParentCommandLine|contains:
+              - 'comspec'
+              - 'iex'
+              - 'Invoke-'
+              - 'msiexec'
+              - 'odbcconf'
+              - 'regsvr32'
+        - ParentCommandLine|contains:
+              - '\Desktop\'
+              - '\ProgramData\'
+              - '\Temp\'
+              - '\Users\Public\'
+    selection_susp_child_img:
+        Image|endswith:
+            - '\bash.exe'
+            - '\bitsadmin.exe'
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\curl.exe'
+            - '\mshta.exe'
+            - '\msiexec.exe'
+            - '\msxsl.exe'
+            - '\odbcconf.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\schtasks.exe'
+            - '\wmic.exe'
+            - '\wscript.exe'
+    condition: all of selection_parent_* and 1 of selection_susp_*
+falsepositives:
+    - Unknown
+level: high