EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Rundll32.EXE Calling DllRegisterServer Export Function Explicitly

Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.

MITRE ATT&CK

T1218
defense-evasion

Detection Query

selection_image:
  - Image|endswith: \rundll32.exe
  - OriginalFileName: RUNDLL32.EXE
selection_cmdline:
  CommandLine|contains: DllRegisterServer
filter_main_legit_paths:
  CommandLine|contains:
    - :\Program Files (x86)
    - :\Program Files\
    - :\Windows\System32\
    - :\Windows\SysWOW64\
condition: all of selection_* and not 1 of filter_main_*

Author

Andreas Braathen (mnemonic.io)

Created

2023-10-17

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1218detection.threat-hunting
Raw Content
title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
id: d81a9fc6-55db-4461-b962-0e78fea5b0ad
related:
    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32
      type: similar
status: test
description: |
    Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
references:
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
    - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior
    - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
author: Andreas Braathen (mnemonic.io)
date: 2023-10-17
tags:
    - attack.defense-evasion
    - attack.t1218
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cmdline:
        CommandLine|contains: 'DllRegisterServer'
    filter_main_legit_paths:
        CommandLine|contains:
            - ':\Program Files (x86)'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Legitimate usage as part of application installation, but less likely from e.g. temporary paths.
    - Not every instance is considered malicious, but this rule will capture the malicious usages.
level: medium