Rundll32 Execution Without DLL File

calendar Aug 28, 2023 · attack.defense_evasion attack.t1218.011  ·
Share on: linkedin copy

Detects the execution of rundll32 with a command line that doesn't contain a .dll file

Sigma rule (View on GitHub)

 1title: Rundll32 Execution Without DLL File
 2id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
 3status: experimental
 4description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file
 5references:
 6    - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 7author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)
 8date: 2022/01/13
 9modified: 2023/03/24
10tags:
11    - attack.defense_evasion
12    - attack.t1218.011
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith: '\rundll32.exe'
19        - OriginalFileName: 'RUNDLL32.EXE'
20    filter_empty:
21        CommandLine: null
22    filter_generic:
23        - CommandLine|contains: '.dll'
24        - CommandLine: ''
25    filter_parent_null:
26        CommandLine|startswith: 'C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess'
27    filter_iexplore:
28        ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe'
29        CommandLine|contains: '.cpl'
30    filter_msiexec_syswow64:
31        ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe'
32        ParentCommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding'
33    filter_msiexec_system32:
34        ParentImage|endswith: ':\Windows\System32\msiexec.exe'
35        ParentCommandLine|startswith: 'C:\Windows\system32\MsiExec.exe -Embedding'
36    filter_splunk_ufw:
37        ParentImage|endswith: ':\Windows\System32\cmd.exe'
38        ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\'
39    filter_localserver_fp:
40        CommandLine|contains: ' -localserver '
41    filter_mcafee:
42        - ParentCommandLine|startswith: 'C:\Windows\system32\rundll32.exe" "C:\Program Files\McAfee\MSC\mcmscins.dll",DllUninstallFunction '
43        - CommandLine|startswith: 'C:\Windows\system32\rundll32.exe" /uninstall /longpath "C:\Program Files\McAfee\MSC\mscrem.inf'
44    filter_edge_update:
45        ParentImage|startswith: 'C:\Users\'
46        ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
47        ParentImage|endswith: '\setup.exe'
48        ParentCommandLine|contains: '\setup.exe" --install-archive="C:\Users\'
49    filter_avira:
50        CommandLine|contains|all:
51            - 'C:\Windows\Installer\MSI'
52            - '.tmp'
53            - 'zzzzInvokeManagedCustomActionOutOfProc'
54            - 'Avira.OE.Setup'
55    condition: selection and not 1 of filter_*
56fields:
57    - Image
58    - CommandLine
59falsepositives:
60    - Unknown
61level: high

References

Related rules

to-top