Rundll32 Execution Without CommandLine Parameters
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Sigma rule (View on GitHub)
1title: Rundll32 Execution Without CommandLine Parameters
2id: 1775e15e-b61b-4d14-a1a3-80981298085a
3status: test
4description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
5references:
6 - https://www.cobaltstrike.com/help-opsec
7 - https://twitter.com/ber_m1ng/status/1397948048135778309
8author: Florian Roth (Nextron Systems)
9date: 2021-05-27
10modified: 2023-08-31
11tags:
12 - attack.defense-evasion
13 - attack.t1202
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|endswith:
20 - '\rundll32.exe'
21 - '\rundll32.exe"'
22 - '\rundll32'
23 filter:
24 ParentImage|contains:
25 - '\AppData\Local\'
26 - '\Microsoft\Edge\'
27 condition: selection and not filter
28falsepositives:
29 - Possible but rare
30level: high
References
-
Beacon Command Behavior and OPSEC Considerations A good operator knows their tools and has an idea of how the tool is accomplishing its objectives on their behalf. This document surveys Beacon's co...
Read More
Related rules
- Custom File Open Handler Executes PowerShell
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE