Detection rules › Kusto Query Language

Regsvr32 Rundll32 with Anomalous Parent Process

Source: upstream

This analytical rule looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. Blog: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218.010` System Binary Proxy Execution: Regsvr32, `T1218.011` System Binary Proxy Execution: Rundll32

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.
Defender-DeviceProcessEvents	9001000	Process activity (any)

Stages and Predicates

Stage 1: `source`

DeviceProcessEvents

Stage 2: `where`

FileName match ["rundll32.exe", "regsvr32.exe"]

Stage 3: `where`

InitiatingProcessFileName match ["wscript.exe", "powershell.exe", "cmd.exe", "pwsh.exe", "cscript.exe"]

Stage 4: `project`

Stage 5: `join`

Stage 6: `project-away`

Stage 7: `extend`

Stage 8: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`FileName`	match	`regsvr32.exe` `rundll32.exe`
`InitiatingProcessFileName`	match	`cmd.exe` `cscript.exe` `powershell.exe` `pwsh.exe` `wscript.exe`

Regsvr32 Rundll32 with Anomalous Parent Process

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: project

Stage 5: join

Stage 6: project-away

Stage 7: extend

Stage 8: extend