#####aid_begin
#description: identifies unusual instances of rundll32.exe making outbound network connections using sysmon
#id: aid2201251645
#processtype: query
#category: network
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  format-bgevent
#  1) get the sysmon envent log where id 3
#  2) query to get the identifies unusual instances of rundll32.exe making outbound network connections using sysmon.
#notes: |- 
#  adversaries may abuse rundll32.exe to proxy execution of malicious code. this may indicate adversarial command and control activity.
#   o event source: sysmon
#   o schema used: "sysmon.schema"
#   o event dataset: "microsoft-windows-sysmon/operational"
#   o eventid's: '3'
#####aid_end
commands:
- Format-BGEvent -Event "Microsoft-Windows-Sysmon/operational" -PropsOnly -MaxEvents 5000 -ID '3' -Schema "$('{0}\Blubin\Modules\BluGenie\Configs\Schema\Sysmon_1.Schema' -f $ScriptDirectory)" -EQLQuery "generic where true" -EQLQuery "generic where true"
- Format-BGEvent -UseInputFile "Last:" -EQLQuery "generic where EventId in (3) and process_name == '*\\rundll32.exe' and not cidrMatch(destination_ip, '10.0.0.0/8', '127.0.0.0/8', '169.254.0.0/16', '172.16.0.0/12', '192.0.0.0/24', '192.0.0.0/29', '192.0.0.8/32', '192.0.0.9/32', '192.0.0.10/32', '192.0.0.170/32', '192.0.0.171/32', '192.0.2.0/24', '192.31.196.0/24', '192.52.193.0/24', '192.168.0.0/16', '192.88.99.0/24', '224.0.0.0/4', '100.64.0.0/10', '192.175.48.0/24', '198.18.0.0/15', '198.51.100.0/24', '203.0.113.0/24', '240.0.0.0/4')"