Rundll32 Execution Without CommandLine Parameters

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

Sigma rule (View on GitHub)

 1title: Rundll32 Execution Without CommandLine Parameters
 2id: 1775e15e-b61b-4d14-a1a3-80981298085a
 3status: test
 4description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
 5references:
 6    - https://www.cobaltstrike.com/help-opsec
 7    - https://twitter.com/ber_m1ng/status/1397948048135778309
 8author: Florian Roth (Nextron Systems)
 9date: 2021/05/27
10modified: 2023/08/31
11tags:
12    - attack.defense_evasion
13    - attack.t1202
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|endswith:
20            - '\rundll32.exe'
21            - '\rundll32.exe"'
22            - '\rundll32'
23    filter:
24        ParentImage|contains:
25            - '\AppData\Local\'
26            - '\Microsoft\Edge\'
27    condition: selection and not filter
28falsepositives:
29    - Possible but rare
30level: high

References

Related rules

to-top