Command Shell Activity Started via RunDLL32
Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/19"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code."
12false_positives = ["Microsoft Windows installers leveraging RunDLL32 for installation."]
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Command Shell Activity Started via RunDLL32"
18risk_score = 21
19rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093"
20severity = "low"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Execution",
26 "Tactic: Credential Access",
27 "Tactic: Defense Evasion",
28 "Data Source: Elastic Endgame",
29 "Data Source: Elastic Defend",
30 "Data Source: Sysmon",
31 "Data Source: Microsoft Defender for Endpoint",
32 "Data Source: SentinelOne",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where host.os.type == "windows" and event.type == "start" and
39 process.name : ("cmd.exe", "powershell.exe") and
40 process.parent.name : "rundll32.exe" and process.parent.command_line != null and
41 /* common FPs can be added here */
42 not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL",
43 "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1059"
51name = "Command and Scripting Interpreter"
52reference = "https://attack.mitre.org/techniques/T1059/"
53[[rule.threat.technique.subtechnique]]
54id = "T1059.001"
55name = "PowerShell"
56reference = "https://attack.mitre.org/techniques/T1059/001/"
57
58[[rule.threat.technique.subtechnique]]
59id = "T1059.003"
60name = "Windows Command Shell"
61reference = "https://attack.mitre.org/techniques/T1059/003/"
62
63
64
65[rule.threat.tactic]
66id = "TA0002"
67name = "Execution"
68reference = "https://attack.mitre.org/tactics/TA0002/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1552"
73name = "Unsecured Credentials"
74reference = "https://attack.mitre.org/techniques/T1552/"
75
76
77[rule.threat.tactic]
78id = "TA0006"
79name = "Credential Access"
80reference = "https://attack.mitre.org/tactics/TA0006/"
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1218"
85name = "System Binary Proxy Execution"
86reference = "https://attack.mitre.org/techniques/T1218/"
87[[rule.threat.technique.subtechnique]]
88id = "T1218.011"
89name = "Rundll32"
90reference = "https://attack.mitre.org/techniques/T1218/011/"
91
92
93
94[rule.threat.tactic]
95id = "TA0005"
96name = "Defense Evasion"
97reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Conhost Spawned By Suspicious Parent Process
- Execution from Unusual Directory - Command Line
- Scheduled Tasks AT Command Enabled
- Suspicious Execution via Windows Subsystem for Linux
- Suspicious Explorer Child Process