detection.wiki

Detection rules › Sigma

Rundll32 Execution With Uncommon DLL Extension

Severity
medium
Author
Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
Source
upstream

Detects the execution of rundll32 with a command line that doesn't contain a common extension

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218.011 System Binary Proxy Execution: Rundll32

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\rundll32.exe'
OriginalFileName: RUNDLL32.EXE

Stage 2: not 1 of filter_main_*

or:
CommandLine|contains: .tmp
CommandLine|contains: ':\Windows\Installer\'
CommandLine|contains: 'zzzzInvokeManagedCustomActionOutOfProc'
ParentImage|endswith: '\msiexec.exe'
CommandLine|endswith: .cpl
CommandLine|endswith: .dll
CommandLine|endswith: .inf
CommandLine: ''
CommandLine: null
CommandLine|contains: ' -localserver '
CommandLine|contains: '.cpl '
CommandLine|contains: '.cpl'''
CommandLine|contains: '.cpl,'
CommandLine|contains: '.cpl"'
CommandLine|contains: '.dll '
CommandLine|contains: '.dll'''
CommandLine|contains: '.dll,'
CommandLine|contains: '.dll"'
CommandLine|contains: '.inf '
CommandLine|contains: '.inf'''
CommandLine|contains: '.inf,'
CommandLine|contains: '.inf"'

Stage 3: not 1 of filter_optional_EdgeUpdate

ParentCommandLine|contains: '--install-archive='
ParentCommandLine|contains: '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
ParentCommandLine|contains: '--previous-version='
ParentCommandLine|contains: '.tmp\setup.exe'
ParentCommandLine|contains: ':\Users\'
ParentCommandLine|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
ParentCommandLine|contains: '\EDGEMITMP_'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineends_with
  • .cpl corpus 2 (sigma 2)
  • .dll corpus 9 (sigma 9)
  • .inf
CommandLinematch
  • -localserver
  • .cpl
  • .cpl"
  • .cpl'
  • .cpl,
  • .dll corpus 2 (sigma 2)
  • .dll" corpus 2 (sigma 2)
  • .dll'
  • .dll,
  • .inf
  • .inf"
  • .inf'
  • .inf,
  • .tmp corpus 3 (sigma 3)
  • :\Windows\Installer\
  • zzzzInvokeManagedCustomActionOutOfProc corpus 2 (sigma 2)
Imageends_with
  • \rundll32.exe corpus 76 (sigma 76)
OriginalFileNameeq
  • RUNDLL32.EXE corpus 28 (sigma 25, splunk 3)
ParentCommandLinematch
  • --install-archive=
  • --msedgewebview --verbose-logging --do-not-launch-msedge --user-level
  • --previous-version=
  • .tmp\setup.exe
  • :\Users\ corpus 3 (sigma 3)
  • \AppData\Local\Microsoft\EdgeUpdate\Install\{
  • \EDGEMITMP_
ParentImageends_with
  • \msiexec.exe corpus 2 (sigma 2)