Rundll32 Without a Command Line (RedCanary Threat Detection Report)
Detects instances of Rundll32 without a command line spawning child processes. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Rundll32 Without a Command Line (RedCanary Threat Detection Report)
2id: 2a2bd094-ecd0-4b19-afb7-c2547b0bdf30
3status: experimental
4description: Detects instances of Rundll32 without a command line spawning child processes. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/rundll32/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.defense_evasion
11 - attack.t1218.011
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith: '\rundll32.exe'
18 ParentCommandLine:
19 - 'rundll32.exe'
20 - 'rundll32'
21 - ''
22 - null
23 condition: selection
24falsepositives:
25 - Unknown
26level: low```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Rundll32 Application Bypass with DllRegisterServer Function (RedCanary Threat Detection Report)
- Rundll32 Injection into LSASS (RedCanary Threat Detection Report)
- Rundll32 Suspicious Process Lineage (RedCanary Threat Detection Report)
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution