Rundll32 without Command Line
Detects instances of rundll32.exe with no command line that spawns a child process. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Rundll32 without Command Line
2id: 48bd57e9-1b2b-4be9-a2aa-5fccbe86b136
3status: experimental
4description: Detects instances of rundll32.exe with no command line that spawns a
5 child process. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/rundll32/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13 - attack.t1218.011
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentCommandLine:
20 - 'rundll32.exe'
21 - 'rundll32'
22 - null
23 ParentImage|endswith: '\rundll32.exe'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Rundll32 with Suspicious Export Functionalities
- Rundll32 with Suspicious Process Lineage
- DLL Execution via Rasautou.exe
- Indirect Command Execution By Program Compatibility Wizard