EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Rundll32 Execution With Uncommon DLL Extension

Detects the execution of rundll32 with a command line that doesn't contain a common extension

MITRE ATT&CK

T1218.011
defense-evasion

Detection Query

selection:
  - Image|endswith: \rundll32.exe
  - OriginalFileName: RUNDLL32.EXE
filter_main_null:
  CommandLine: null
filter_main_empty:
  CommandLine: ""
filter_main_known_extension:
  - CommandLine|contains:
      - ".cpl "
      - .cpl,
      - .cpl"
      - .cpl'
      - ".dll "
      - .dll,
      - .dll"
      - .dll'
      - ".inf "
      - .inf,
      - .inf"
      - .inf'
  - CommandLine|endswith:
      - .cpl
      - .dll
      - ".inf"
filter_main_localserver:
  CommandLine|contains: " -localserver "
filter_main_zzzzInvokeManagedCustomActionOutOfProc:
  ParentImage|endswith: \msiexec.exe
  CommandLine|contains|all:
    - :\Windows\Installer\
    - .tmp
    - zzzzInvokeManagedCustomActionOutOfProc
filter_optional_EdgeUpdate:
  ParentCommandLine|contains|all:
    - :\Users\
    - \AppData\Local\Microsoft\EdgeUpdate\Install\{
    - \EDGEMITMP_
    - .tmp\setup.exe
    - --install-archive=
    - --previous-version=
    - --msedgewebview --verbose-logging --do-not-launch-msedge --user-level
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou

Created

2022-01-13

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1218.011
Raw Content
title: Rundll32 Execution With Uncommon DLL Extension
id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
status: test
description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
references:
    - https://twitter.com/mrd0x/status/1481630810495139841?s=12
author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
date: 2022-01-13
modified: 2024-04-04
tags:
    - attack.defense-evasion
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    filter_main_null:
        CommandLine: null
    filter_main_empty:
        CommandLine: ''
    filter_main_known_extension:
        - CommandLine|contains:
              # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
              - '.cpl '
              - '.cpl,'
              - '.cpl"'
              - ".cpl'"
              - '.dll '
              - '.dll,'
              - '.dll"'
              - ".dll'"
              - '.inf '
              - '.inf,'
              - '.inf"'
              - ".inf'"
        - CommandLine|endswith:
              # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
              - '.cpl'
              - '.dll'
              - '.inf'
    filter_main_localserver:
        CommandLine|contains: ' -localserver '
    filter_main_zzzzInvokeManagedCustomActionOutOfProc:
        ParentImage|endswith: '\msiexec.exe'
        CommandLine|contains|all:
            - ':\Windows\Installer\'
            - '.tmp'
            - 'zzzzInvokeManagedCustomActionOutOfProc'
    filter_optional_EdgeUpdate:
        ParentCommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
            - '\EDGEMITMP_'
            - '.tmp\setup.exe'
            - '--install-archive='
            - '--previous-version='
            - '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium