Rundll32 Application Bypass with DllRegisterServer Function (RedCanary Threat Detection Report)
Detects the DllRegisterServer export function implemented with Rundll32. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Rundll32 Application Bypass with DllRegisterServer Function (RedCanary Threat Detection Report)
2id: f6d0c39a-96fe-45c5-b3c8-7dbea2a3f34c
3status: experimental
4description: Detects the DllRegisterServer export function implemented with Rundll32. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/rundll32/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.defense_evasion
11 - attack.t1218.011
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\rundll32.exe'
18 CommandLine|contains: 'DllRegisterServer'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Rundll32 Injection into LSASS (RedCanary Threat Detection Report)
- Rundll32 Suspicious Process Lineage (RedCanary Threat Detection Report)
- Rundll32 Without a Command Line (RedCanary Threat Detection Report)
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Rundll32 with Suspicious Export Functionalities