Detection rules › Kusto Query Language
Regsvr32 Rundll32 Image Loads Abnormal Extension
This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218.010 System Binary Proxy Execution: Regsvr32, T1218.011 System Binary Proxy Execution: Rundll32 |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
| Defender-DeviceImageLoadEvents | 9006000 | Image load (any) |
Stages and Predicates
Stage 1: source
DeviceImageLoadEvents
Stage 2: where
InitiatingProcessFileName match ["rundll32.exe", "regsvr32.exe"]
Stage 3: where
not
FileName ends_with ".dll"
Stage 4: join
Stage 5: project
Stage 6: extend
Stage 7: extend
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | FileName | ends_with | .dll |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
InitiatingProcessFileName | match |
|