| ID | Technique | Tactic |
|---|---|---|
| T1574 | Hijack Execution Flow | Defense Evasion |
Detection: Windows Rundll32 Execution With Log.DLL
Description
Identifies the execution of rundll32 with a command line argument of "log.dll", as used in the Lotus Blossom Chrysalis backdoor campaign. Attackers placed a malicious "log.dll" in "%AppData%\Bluetooth" and invoked it via rundll32.exe "log.dll,LogInit" to decrypt and execute ShellCode. The legitimate Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) also uses log.dll and is vulnerable to DLL sideloading.
Search
1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
3 from datamodel=Endpoint.Processes where
4 `process_rundll32`
5 Processes.process="* log.dll*"
6 by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
7
8| `drop_dm_object_name(Processes)`
9
10| `security_content_ctime(firstTime)`
11
12| `security_content_ctime(lastTime)`
13
14| `windows_rundll32_execution_with_log_dll_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | Other | 'crowdstrike:events:sensor' |
'crowdstrike' |
| Sysmon EventID 1 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Windows Event Log Security 4688 | Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| process_rundll32 | (Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE) |
| windows_rundll32_execution_with_log_dll_filter | search * |
windows_rundll32_execution_with_log_dll_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
Ingest process creation logs (Sysmon EventID 1 or equivalent) and map them to the Endpoint.Processes data model. Ensure command-line arguments are captured so that "log.dll" appears in the process field. The Splunk Add-on for Microsoft Sysmon and CIM are required.
Known False Positives
Legitimate use of rundll32 to load log.dll from trusted locations may trigger this. Allowlist known paths or parent processes as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Rundll32 loaded log.dll on $dest$ by user $user$, indicating potential Lotus Blossom-style DLL side loading abuse.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 20 | process_name, process |
| dest | system | 20 | process_name, process |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1