Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Sigma rule (View on GitHub)
1title: Rundll32 Execution Without Parameters
2id: 5bb68627-3198-40ca-b458-49f973db8752
3status: test
4description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
5references:
6 - https://bczyz1.github.io/2021/01/30/psexec.html
7author: Bartlomiej Czyz, Relativity
8date: 2021/01/31
9modified: 2023/02/28
10tags:
11 - attack.lateral_movement
12 - attack.t1021.002
13 - attack.t1570
14 - attack.execution
15 - attack.t1569.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine:
22 - 'rundll32.exe'
23 - 'rundll32'
24 condition: selection
25fields:
26 - ComputerName
27 - SubjectUserName
28 - CommandLine
29 - Image
30 - ParentImage
31falsepositives:
32 - False positives may occur if a user called rundll32 from CLI with no options
33level: high
References
Related rules
- CobaltStrike Service Installations - Security
- T1047 Wmiprvse Wbemcomn DLL Hijack
- Wmiprvse Wbemcomn DLL Hijack
- Wmiprvse Wbemcomn DLL Hijack - File
- First Time Seen Remote Named Pipe