← Back to Explore
sigmahighHunting
Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Detection Query
selection:
CommandLine:
- rundll32.exe
- rundll32
condition: selection
Author
Bartlomiej Czyz, Relativity
Created
2021-01-31
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.lateral-movementattack.t1021.002attack.t1570attack.executionattack.t1569.002
Raw Content
title: Rundll32 Execution Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-31
modified: 2023-02-28
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'rundll32.exe'
- 'rundll32'
condition: selection
falsepositives:
- False positives may occur if a user called rundll32 from CLI with no options
level: high