#####aid_begin
#description:  identifies unusual instances of rundll32.exe making suspicious file creations and executions
#id: aid2201252011
#processtype: query
#category: eventlog
#link: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  format-bgevent 
#   1) get the sysmon event log where id 1, 11
#   2) query unusual instances of suspicious file creation and execution using rundll32.exe 
#notes:  |- 
#  identifies when a script interpreter or signed binary is launched via a non-standard working directory. an attacker may use this technique to evade defenses.
#   o event source: sysmon
#   o schema used: "c:\blugenie\bin\x64\blubin\modules\blugenie\configs\schema\sysmon.schema"
#   o event dataset: "microsoft-windows-sysmon/operational"
#   o eventid's: '1, 11'
#####aid_end
commands:
- Format-BGEvent -Event "Microsoft-Windows-Sysmon/operational" -PropsOnly -MaxEvents 50 -ID '1,11' -Schema "$('{0}\Blubin\Modules\BluGenie\Configs\Schema\Sysmon_1.Schema' -f $ScriptDirectory)" -EQLQuery "generic where true"
- Format-BGEvent -UseInputFile "Last:" -EQLQuery "generic where EventId in (1,11) and (process_name == '*\\rundll32.exe' and wildcard(process_command_line, '*\\Users\\*\\AppData\\Roaming\\*', '*\\Users\\*\\Public\\*', '*\\Users\\*\\AppData\\Local\\Temp\\*', '*\\ProgramData\\*', '*\\Windows\\temp\\*', '*\\Windows\\system32\\microsoft\\crypto\\rsa\\machinekeys\\*', '*\\Windows\\system32\\tasks_migrated\\microsoft\\windows\\pla\\system\\*', '*\\Windows\\syswow64\\tasks\\microsoft\\windows\\pla\\system\\*', '*\\Windows\\debug\\wia\\*', '*\\Windows\\system32\\tasks\\*', '*\\Windows\\syswow64\\tasks\\*', '*\\Windows\\tasks\\*',  '*\\Windows\\registration\\crmlog\\*', '*\\Windows\\system32\\com\\dmp\\*', '*\\Windows\\system32\fxstmp\\*', '*\\Windows\\system32\\spool\\drivers\\color\\*', '*\\Windows\\system32\\spool\\printers\\*', '*\\Windows\\system32\\spool\\servers\\*', '*\\Windows\\syswow64\\com\\dmp\\*', '*\\Windows\\syswow64\\fxstmp\\*', '*\\Windows\\tracing\\*')) or (process_name == '*\\rundll32.exe' and wildcard(file_path, '*\\Users\\*\\AppData\\Roaming\\*', '*\\Users\\*\\Public\\*', '*\\Users\\*\\AppData\\Local\\Temp\\*', '*\\ProgramData\\*', '*\\Windows\\temp\\*', '*\\Windows\\system32\\microsoft\\crypto\\rsa\\machinekeys\\*', '*\\Windows\\system32\\tasks_migrated\\microsoft\\windows\\pla\\system\\*', '*\\Windows\\syswow64\\tasks\\microsoft\\windows\\pla\\system\\*', '*\\Windows\\debug\\wia\\*', '*\\Windows\\system32\\tasks\\*', '*\\Windows\\syswow64\\tasks\\*', '*\\Windows\\tasks\\*',  '*\\Windows\\registration\\crmlog\\*', '*\\Windows\\system32\\com\\dmp\\*', '*\\Windows\\system32\fxstmp\\*', '*\\Windows\\system32\\spool\\drivers\\color\\*', '*\\Windows\\system32\\spool\\printers\\*', '*\\Windows\\system32\\spool\\servers\\*', '*\\Windows\\syswow64\\com\\dmp\\*', '*\\Windows\\syswow64\\fxstmp\\*', '*\\Windows\\tracing\\*'))"