EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Rundll32 Execution Without CommandLine Parameters

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

MITRE ATT&CK

T1202
defense-evasion

Detection Query

selection:
  CommandLine|endswith:
    - \rundll32.exe
    - \rundll32.exe"
    - \rundll32
filter:
  ParentImage|contains:
    - \AppData\Local\
    - \Microsoft\Edge\
condition: selection and not filter

Author

Florian Roth (Nextron Systems)

Created

2021-05-27

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1202
Raw Content
title: Rundll32 Execution Without CommandLine Parameters
id: 1775e15e-b61b-4d14-a1a3-80981298085a
status: test
description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
references:
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/ber_m1ng/status/1397948048135778309
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2023-08-31
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith:
            - '\rundll32.exe'
            - '\rundll32.exe"'
            - '\rundll32'
    filter:
        ParentImage|contains:
            - '\AppData\Local\'
            - '\Microsoft\Edge\'
    condition: selection and not filter
falsepositives:
    - Possible but rare
level: high