The Elex DLL 32 bits detection rule identifies potential adversary use of a 32-bit DLL in a 64-bit environment, which may indicate obfuscation or evasion tactics. SOC teams should proactively hunt for this behavior to detect advanced threats that may bypass standard detection mechanisms in Azure Sentinel.
YARA Rule
rule Trj_Elex_Dll32
{
meta:
author = "Centro Criptológico Nacional (CCN)"
description = "Elex DLL 32 bits"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
strings:
$mz = { 4d 5a }
$str1 = {59 00 72 00 72 00 65 00 68 00 73 00}
$str2 = "RookIE/1.0"
condition:
(pe.machine == pe.MACHINE_I386) and (pe.characteristics & pe.DLL) and ($mz at 0) and ($str1) and ($str2)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A legitimate 32-bit DLL is being used by a 32-bit application that is part of the enterprise’s standard software stack.
Filter/Exclusion: process.name != "legitimate_32bit_app.exe" or process.parent.name != "known_parent_process.exe"
Scenario: A system update or patching task is deploying a 32-bit DLL as part of a Windows Update or Microsoft Update process.
Filter/Exclusion: process.name != "wusa.exe" or process.parent.name != "svchost.exe"
Scenario: A scheduled job runs a 32-bit tool like msiexec.exe to install or update software, which triggers the DLL loading.
Filter/Exclusion: process.name != "msiexec.exe" or process.parent.name != "schtasks.exe"
Scenario: An administrator is using a 32-bit utility like regsvr32.exe to register a COM DLL as part of routine maintenance.
Filter/Exclusion: process.name != "regsvr32.exe" or process.parent.name != "explorer.exe"
Scenario: A 32-bit version of a common enterprise tool (e.g., 7-Zip, WinRAR, or Notepad++) is being executed, which loads a 32-bit DLL.
Filter/Exclusion: process.name != "7z.exe" or process.name != "notepad++.exe" or process.name != "rar.exe"