==================================================

CREATED: WIN-RUNDLL-EXEC-ORDINAL-CALL (#2243)

Description

This detector identifies suspicious instances of the Windows process rundll32.exe executing an exported DLL function by its ordinal value.

ATT&CK Technique T1085

==================================================

CREATED: NIX-YUM-PERSIST (#2304)

Description

This detector alerts on one of a sequence of commands used by Metasploit to achieve persistence via the yum utility. This attack installs a program to be executed the next time yum is run.

==================================================

CREATED: WIN-RUNDLL32-SPAWNING-SYSPREP (#2320)

Description

This detector identifies instances of the Windows DLL launching utility (rundll32.exe) spawning the Windows binary sysprep.exe. This activity has been observed with Cobalt Strike payloads that bypass User Account Control (UAC).

ATT&CK Technique T1038

Did this answer your question?