Unusual Child Processes of RunDLL32

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a no-argument or malformed Rundll32 launch followed by child process execution. This unusual sequence can
 11indicate Rundll32 abuse for proxy execution or payload handoff.
 12"""
 13from = "now-60m"
 14index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-crowdstrike.fdr*"]
 15interval = "30m"
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Unusual Child Processes of RunDLL32"
 19risk_score = 73
 20rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5"
 21severity = "high"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: Windows",
 25    "Use Case: Threat Detection",
 26    "Tactic: Defense Evasion",
 27    "Data Source: Elastic Defend",
 28    "Data Source: Sysmon",
 29    "Data Source: Crowdstrike",
 30    "Resources: Investigation Guide",
 31]
 32type = "eql"
 33
 34query = '''
 35sequence with maxspan=1h
 36  [process where host.os.type == "windows" and event.type == "start" and
 37     (process.name : "rundll32.exe" or process.pe.original_file_name == "RUNDLL32.EXE") and
 38      (process.args_count == 1 and
 39        /* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */
 40        not process.command_line regex~ """\".*\.exe[^\"].*""")
 41  ] by process.entity_id
 42  [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "rundll32.exe"
 43  ] by process.parent.entity_id
 44'''
 45
 46note = """## Triage and analysis
 47
 48### Investigating Unusual Child Processes of RunDLL32
 49
 50#### Possible investigation steps
 51
 52- Which source events define the no-argument "rundll32.exe" parent and the spawned child?
 53  - Why: this asymmetric sequence has no single safe process identity; recover source events before interpreting grouped meaning or pivoting.
 54  - Focus: Timeline source events for the sequence, recording parent and child `process.entity_id`, child `process.parent.entity_id`, `host.id`, and `user.id`.
 55  - Implication: escalate when recovered events show one no-argument "rundll32.exe" handing off to an unexpected child; lower suspicion only when recovery shows a parser/quoting artifact and the child is signed, stable, and path-consistent for the same user and host.
 56
 57- Does the recovered "rundll32.exe" event truly lack a DLL, export, or Control_RunDLL-style target?
 58  - Why: normal Rundll32 proxy execution names a DLL/export, ordinal, script target, or Control Panel handler; this rule covers empty or malformed invocation that still spawns a child.
 59  - Focus: parent `process.command_line`, `process.args_count`, `process.executable`, and `process.pe.original_file_name`.
 60  - Implication: escalate when `process.args_count` and `process.command_line` confirm only the image path or a malformed target; lower suspicion only when source recovery proves a quoting/parser artifact and the exact parent-child command pattern is stable.
 61
 62- What did the recovered child process do, and does its identity fit that parent chain?
 63  - Focus: child `process.executable`, `process.command_line`, `process.pe.original_file_name`, code signature, and descendant process starts.
 64  - Hint: after recovering the child `process.entity_id` from source events, pivot manually on that ID for descendants; the final sequence alert may not preserve a child-specific entity ID.
 65  - Implication: escalate when the child is a shell, script host, network utility, unsigned payload, user-writable binary, or mismatched original file name; lower suspicion when the child is signed, path-consistent, and matches the exact recovered wrapper pattern. Identity alone does not clear the behavior.
 66
 67- What launched "rundll32.exe", and does the user-host context explain the handoff?
 68  - Focus: parent `process.parent.executable`, `process.parent.command_line`, `process.Ext.ancestry`, `user.name`, and `user.domain`.
 69  - Implication: escalate when the launcher is Office, a browser, archive utility, script host, temp-path executable, or a lineage unusual for that `user.id` and `host.id`; lower suspicion only when the same parent executable, command line, child path, signer, and host/user scope recur without artifact or network contradictions.
 70
 71- If library telemetry is available after source-event recovery, did the recovered process load a hidden or recently staged DLL?
 72  - Focus: library events for recovered `host.id` and each `process.entity_id`, checking `dll.path`, `dll.hash.sha256`, signer, trust, and `dll.Ext.relative_file_creation_time`.
 73  - Hint: query library events separately for the recovered parent and child IDs; missing library telemetry limits DLL corroboration but does not clear the process evidence.
 74  - Implication: escalate when a DLL loads from a user-writable, unrelated, unsigned, or recently created path; lower suspicion when library identity, signer, and path relationship fit the recovered parent-child workflow.
 75
 76- If file or network telemetry is available after source-event recovery, did the chain stage payloads or reach suspicious infrastructure?
 77  - Focus: file and network events for recovered `host.id` and each `process.entity_id`, checking `file.path`, `file.Ext.windows.zone_identifier`, DNS `dns.question.name`, connection `destination.ip`, and `destination.port`.
 78  - Hint: separate DNS lookup events from connection events before interpreting them. Missing network telemetry is unresolved, not benign.
 79  - Implication: escalate when the chain writes executable or scriptable artifacts, carries internet provenance, or connects to rare external infrastructure; lower suspicion when optional activity stays inside the recovered parent-child workflow.
 80
 81- If local evidence remains suspicious or unresolved, do related alerts show the same user, host, or child-process pattern?
 82  - Focus: recent alerts for `user.id`, `host.id`, child `process.executable`, child `process.hash.sha256`, or a distinctive `process.command_line` fragment.
 83  - Hint: use only after source recovery keeps the case suspicious or unresolved.
 84    - $investigate_0
 85    - $investigate_1
 86  - Implication: broaden response when the same user or host repeats Rundll32 proxy-execution, child payload, or related defense-evasion alerts; keep scope local when the suspicious pattern remains isolated and the recovered workflow is tightly explained.
 87
 88- Escalate when source recovery, invocation shape, child identity, launcher lineage, DLL/file/network evidence, or recurrence shows "rundll32.exe" proxying unauthorized child execution or payload delivery; close only when recovered process evidence and corroborators tightly bind one exact signed workflow on this host; if evidence is mixed or incomplete, preserve artifacts and escalate.
 89
 90### False positive analysis
 91
 92- No-argument "rundll32.exe" spawning a child is an operational anti-pattern. Close as benign only when source recovery proves a parser/quoting artifact or authorized reproduction, the child is signed and path-consistent, and no DLL, file, or network evidence contradicts that workflow. Align available inventory, vendor, or test records; otherwise treat prior recurrence for the same `host.id` and stable parent-child anchors as supporting evidence only.
 93- Build exceptions from the minimum confirmed workflow: parent `process.parent.executable`, child `process.executable`, stable `process.code_signature.subject_name`, command-line shape, host/user scope, and recovered artifact anchors when present. Do not except a first occurrence, unresolved source recovery, missing contradictory-telemetry checks, or "rundll32.exe" alone.
 94
 95### Response and remediation
 96
 97- If confirmed benign:
 98  - Reverse temporary containment and document the recovered parent-child workflow, source-event IDs, signer, command-line pattern, and corroborating inventory, vendor record, or recurrence that established it.
 99- If suspicious but unconfirmed:
100  - Preserve a case export of Timeline source events, recovered process identifiers and command lines, child binary hash, and any recovered DLL, file, or network artifacts before cleanup.
101  - Apply reversible containment such as temporary network restrictions or heightened monitoring on the affected `host.id` and `user.id`; use host isolation only when child-process or artifact evidence indicates active payload execution and the host role can tolerate isolation.
102- If confirmed malicious:
103  - Preserve the recovered source events, process IDs, command lines, child hashes, DLL or file artifacts, and network indicators, then isolate the host or restrict the account based on the child execution, launcher lineage, artifact, or network evidence.
104  - Block confirmed malicious child hashes, DLL hashes, staged payload paths, domains, and destination IPs, then review other hosts and users for the same parent-child or artifact pattern before eradication.
105  - Remove only the malicious DLLs, scripts, or child payloads identified during investigation, remediate the parent launcher or delivery path that invoked "rundll32.exe", and investigate credential exposure if follow-on behavior suggests collection or lateral movement.
106- Post-incident hardening:
107  - Keep process telemetry for "rundll32.exe" and child processes enabled, and enable file, network, or library telemetry where missing evidence limited the case.
108  - Restrict unusual "rundll32.exe" child-process patterns where the business does not require them, and record any adjacent DLL/export, ordinal, Control Panel, or script-target variants observed in the case.
109"""
110
111setup = """## Setup
112
113This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
114
115Setup instructions: https://ela.st/install-elastic-defend
116
117### Additional data sources
118
119This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
120
121- [CrowdStrike](https://ela.st/crowdstrike-integration)
122- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
123"""
124
125[rule.investigation_fields]
126field_names = [
127    "@timestamp",
128    "host.name",
129    "host.id",
130    "user.id",
131    "event.category",
132    "event.type",
133]
134
135[transform]
136
137[[transform.investigate]]
138label = "Alerts associated with the user"
139description = ""
140providers = [
141  [
142    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
143    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
144  ]
145]
146relativeFrom = "now-48h/h"
147relativeTo = "now"
148
149[[transform.investigate]]
150label = "Alerts associated with the host"
151description = ""
152providers = [
153  [
154    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
155    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
156  ]
157]
158relativeFrom = "now-48h/h"
159relativeTo = "now"
160
161[[rule.threat]]
162framework = "MITRE ATT&CK"
163[[rule.threat.technique]]
164id = "T1218"
165name = "System Binary Proxy Execution"
166reference = "https://attack.mitre.org/techniques/T1218/"
167[[rule.threat.technique.subtechnique]]
168id = "T1218.011"
169name = "Rundll32"
170reference = "https://attack.mitre.org/techniques/T1218/011/"
171
172[rule.threat.tactic]
173id = "TA0005"
174name = "Defense Evasion"
175reference = "https://attack.mitre.org/tactics/TA0005/"