EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Remote DLL Load Via Rundll32.EXE

Detects a remote DLL load event via "rundll32.exe".

MITRE ATT&CK

T1204.002
execution

Detection Query

selection:
  Image|endswith: \rundll32.exe
  ImageLoaded|startswith: \\\\
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-09-18

Data Sources

windowsImage Load Events

Platforms

windows

References

Tags

attack.executionattack.t1204.002
Raw Content
title: Remote DLL Load Via Rundll32.EXE
id: f40017b3-cb2e-4335-ab5d-3babf679c1de
status: test
description: Detects a remote DLL load event via "rundll32.exe".
references:
    - https://github.com/gabe-k/themebleed
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-18
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|startswith: '\\\\'
    condition: selection
falsepositives:
    - Unknown
level: medium