Rundll32 with Suspicious Export Functionalities
Detects instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Rundll32 with Suspicious Export Functionalities
2id: e7cff8e3-89ae-47bd-841f-833e0a647f72
3status: experimental
4description: Detects instances of rundll32.exe running Windows native DLLs that have
5 export functionalities that adversaries commonly leverage for executing malicious
6 code and evading defensive controls. Inspired by the 2022 Red Canary Threat Detection
7 report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/rundll32/
10author: Micah Babinski
11date: 2022/11/03
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15 - attack.t1218.011
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\rundll32.exe'
22 CommandLine|contains:
23 - 'minidump'
24 - 'startw'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Rundll32 with Suspicious Process Lineage
- Rundll32 without Command Line
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components