| ID | Technique | Tactic |
|---|---|---|
| T1574 | Hijack Execution Flow | Execution |
Detection: Windows Rundll32 Execution With Log.DLL
Description
Identifies the execution of rundll32 with a command line argument of "log.dll", as used in the Lotus Blossom Chrysalis backdoor campaign. Attackers placed a malicious "log.dll" in "%AppData%\Bluetooth" and invoked it via rundll32.exe "log.dll,LogInit" to decrypt and execute ShellCode. The legitimate Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) also uses log.dll and is vulnerable to DLL sideloading.
Search
1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
3 from datamodel=Endpoint.Processes where
4 `process_rundll32`
5 Processes.process="* log.dll*"
6 by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
7
8| `drop_dm_object_name(Processes)`
9
10| `security_content_ctime(firstTime)`
11
12| `security_content_ctime(lastTime)`
13
14| `windows_rundll32_execution_with_log_dll_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4688 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
| Sysmon EventID 1 | Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| CrowdStrike ProcessRollup2 | Other | 'crowdstrike:events:sensor' |
'crowdstrike' |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| windows_rundll32_execution_with_log_dll_filter | search * |
windows_rundll32_execution_with_log_dll_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.
Implementation
Ingest process creation logs (Sysmon EventID 1 or equivalent) and map them to the Endpoint.Processes data model. Ensure command-line arguments are captured so that "log.dll" appears in the process field. The Splunk Add-on for Microsoft Sysmon and CIM are required.
Known False Positives
Legitimate use of rundll32 to load log.dll from trusted locations may trigger this. Allowlist known paths or parent processes as needed.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Rundll32 loaded log.dll on $dest$ by user $user$, indicating potential Lotus Blossom-style DLL side loading abuse. | user | user | 20 |
| Rundll32 loaded log.dll on $dest$ by user $user$, indicating potential Lotus Blossom-style DLL side loading abuse. | dest | system | 20 |
Threat Objects
| Field | Type |
|---|---|
| process | process |
| process_name | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3