Detection rules › Kusto Query Language

Midnight Blizzard - suspicious rundll32.exe execution of vbscript

'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547` Boot or Logon Autostart Execution
Privilege Escalation	`T1547` Boot or Logon Autostart Execution

Provider	Event ID	Title
Security-Auditing	4688	A new process has been created.

<union>

union of 2 branches