Command Shell Activity Started via RunDLL32
Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code."
12false_positives = ["Microsoft Windows installers leveraging RunDLL32 for installation."]
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Command Shell Activity Started via RunDLL32"
18risk_score = 21
19rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093"
20setup = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
23events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
24Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
25`event.ingested` to @timestamp.
26For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
27"""
28severity = "low"
29tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34process where host.os.type == "windows" and event.type == "start" and
35 process.name : ("cmd.exe", "powershell.exe") and
36 process.parent.name : "rundll32.exe" and process.parent.command_line != null and
37 /* common FPs can be added here */
38 not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL",
39 "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc")
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1059"
47name = "Command and Scripting Interpreter"
48reference = "https://attack.mitre.org/techniques/T1059/"
49[[rule.threat.technique.subtechnique]]
50id = "T1059.001"
51name = "PowerShell"
52reference = "https://attack.mitre.org/techniques/T1059/001/"
53[[rule.threat.technique.subtechnique]]
54id = "T1059.003"
55name = "Windows Command Shell"
56reference = "https://attack.mitre.org/techniques/T1059/003/"
57
58
59
60[rule.threat.tactic]
61id = "TA0002"
62name = "Execution"
63reference = "https://attack.mitre.org/tactics/TA0002/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1552"
68name = "Unsecured Credentials"
69reference = "https://attack.mitre.org/techniques/T1552/"
70
71
72[rule.threat.tactic]
73id = "TA0006"
74name = "Credential Access"
75reference = "https://attack.mitre.org/tactics/TA0006/"
76
77
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1218"
82name = "System Binary Proxy Execution"
83reference = "https://attack.mitre.org/techniques/T1218/"
84[[rule.threat.technique.subtechnique]]
85id = "T1218.011"
86name = "Rundll32"
87reference = "https://attack.mitre.org/techniques/T1218/011/"
88
89
90
91[rule.threat.tactic]
92id = "TA0005"
93name = "Defense Evasion"
94reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Conhost Spawned By Suspicious Parent Process
- Microsoft Build Engine Using an Alternate Name
- Persistence via Hidden Run Key Detected
- Potential DLL Side-Loading via Microsoft Antimalware Service Executable
- Potential DLL Side-Loading via Trusted Microsoft Programs