CobaltStrike Load by Rundll32

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

Sigma rule (View on GitHub)

 1title: CobaltStrike Load by Rundll32
 2id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
 3status: test
 4description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
 5references:
 6    - https://www.cobaltstrike.com/help-windows-executable
 7    - https://redcanary.com/threat-detection-report/
 8    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
 9author: Wojciech Lesicki
10date: 2021/06/01
11modified: 2022/09/16
12tags:
13    - attack.defense_evasion
14    - attack.t1218.011
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_rundll:
20        - Image|endswith: '\rundll32.exe'
21        - OriginalFileName: RUNDLL32.EXE
22        - CommandLine|contains:
23            - 'rundll32.exe'
24            - 'rundll32 '
25    selection_params:
26        CommandLine|contains: '.dll'
27        CommandLine|endswith:
28            - ' StartW'
29            - ',StartW'
30    condition: all of selection*
31falsepositives:
32    - Unknown
33level: high

Related rules

to-top