Rundll32 with Suspicious Process Lineage
Detects executions of rundll32.exe from unusual or suspicious parent processes. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Rundll32 with Suspicious Process Lineage
2id: a01588a5-b68d-4d55-ab49-76d25c557ed4
3status: experimental
4description: Detects executions of rundll32.exe from unusual or suspicious parent
5 processes. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/rundll32/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13 - attack.t1218.011
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\rundll32.exe'
20 ParentImage|endswith:
21 - '\winword.exe'
22 - '\excel.exe'
23 - '\msaccess.exe'
24 - '\lsass.exe'
25 - '\taskeng.exe'
26 - '\winlogon.exe'
27 - '\schtasks.exe'
28 - '\regsvr32.exe'
29 - '\wmiprvse.exe'
30 - '\wsmprovhost.exe'
31 condition: selection
32falsepositives:
33 - Unknown
34level: medium```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Rundll32 with Suspicious Export Functionalities
- Rundll32 without Command Line
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components