Rundll32 with Suspicious Process Lineage

 1title: Rundll32 with Suspicious Process Lineage
 2id: 5025ecc7-1efd-41de-aee2-38f4b9d8d281
 3status: experimental
 4description: |
 5    As is the case with most techniques in this report, it's critical that 
 6    you are able to take stock of what is normal in your environment if you 
 7    hope to be able to identify what isn't. In the context of Rundll32, you’ll 
 8    want to monitor for executions of rundll32.exe from unusual parent processes, 
 9    and the following pseudo-analytic—based on an amalgamation of Red Canary 
10    detection logic—should help security teams do just that. Part of the RedCanary 
11    2024 Threat Detection Report.    
12references:
13    - https://redcanary.com/threat-detection-report/techniques/rundll32/
14author: RedCanary, Sigma formatting by Micah Babinski
15date: 2024/03/21
16tags:
17    - attack.defense_evasion
18    - attack.t1218
19    - attack.t1218.011
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        ParentImage|endswith:
26            - '\winword.exe'
27            - '\excel.exe'
28            - '\msaccess.exe'
29            - '\lsass.exe'
30            - '\taskeng.exe'
31            - '\winlogon.exe'
32            - '\schtasks.exe'
33            - '\regsvr32.exe'
34            - '\wmiprvse.exe'
35            - '\wsmprovhost.exe'
36        Image|endswith: '\rundll32.exe'
37    condition: selection
38falsepositives:
39    - Unknown
40level: low```