Rundll32 Suspicious Process Lineage (RedCanary Threat Detection Report)
Detects instances of Rundll32 being spawned by unusual or suspicious parent processes. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Rundll32 Suspicious Process Lineage (RedCanary Threat Detection Report)
2id: d4ae7bf0-8325-4a1f-9d72-0da717d9d757
3status: experimental
4description: Detects instances of Rundll32 being spawned by unusual or suspicious parent processes. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/rundll32/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.defense_evasion
11 - attack.t1218.011
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\rundll32.exe'
18 ParentImage|endswith:
19 - '\winword.exe'
20 - '\excel.exe'
21 - '\msaccess.exe'
22 - '\lsass.exe'
23 - '\taskeng.exe'
24 - '\winlogon.exe'
25 - '\schtasks.exe'
26 - '\regsvr32.exe'
27 - '\wmiprvse.exe'
28 - '\wsmprovhost.exe'
29 condition: selection
30falsepositives:
31 - Unknown
32level: low```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Rundll32 Application Bypass with DllRegisterServer Function (RedCanary Threat Detection Report)
- Rundll32 Injection into LSASS (RedCanary Threat Detection Report)
- Rundll32 Without a Command Line (RedCanary Threat Detection Report)
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Rundll32 with Suspicious Export Functionalities