Rundll32 Without a Command Line
Rundll32 does not normally execute without corresponding command-line arguments and while spawning a child process. Given this, you may want to alert on the execution of processes that appear to be rundll32.exe without any command-line arguments , especially when they spawn child processes or make network connections. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Rundll32 Without a Command Line
2id: 0fab2f9d-0c38-4392-802f-09e4f4fef0ed
3status: experimental
4description: |
5 Rundll32 does not normally execute without corresponding command-line
6 arguments and while spawning a child process. Given this, you may want
7 to alert on the execution of processes that appear to be rundll32.exe
8 without any command-line arguments , especially when they spawn child
9 processes or make network connections. Part of the RedCanary 2024
10 Threat Detection Report.
11references:
12 - https://redcanary.com/threat-detection-report/techniques/rundll32/
13author: RedCanary, Sigma formatting by Micah Babinski
14date: 2024/03/21
15tags:
16 - attack.defense_evasion
17 - attack.t1218
18 - attack.t1218.011
19logsource:
20 category: network_connection
21 product: windows
22detection:
23 selection:
24 ParentImage|endswith: '\rundll32.exe'
25 ParentCommandLine: null
26 condition: selection
27falsepositives:
28 - Unknown
29level: low```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Application Bypass with DllRegisterServer Function
- Rundll32 Injection into LSASS
- Rundll32 with Suspicious Process Lineage
- Suspicious Export Functionalities - Rundll32
- HTML Help HH.EXE Suspicious Child Process