Skip to content

Hide Navigation Hide TOC

Suspicious ShellExec_RunDLL Call Via Ordinal (8823e85d-31d8-473e-b7f4-92da070f0fc6)

Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious ShellExec_RunDLL Call Via Ordinal (8823e85d-31d8-473e-b7f4-92da070f0fc6) Sigma-Rules Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2