Unusual Child Processes of RunDLL32

Elastic Stack Serverless Security

Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*
logs-windows.*

Severity: high

Risk score: 21

Runs every: 30m

Searches indices from: now-60m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion

Version: 6

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

		sequence with maxspan=1h
  [process where event.type in ("start", "process_started") and
     (process.name : "rundll32.exe" or process.pe.original_file_name == "RUNDLL32.EXE") and
      process.args_count == 1
  ] by process.entity_id
  [process where event.type in ("start", "process_started") and process.parent.name : "rundll32.exe"
  ] by process.parent.entity_id

	

Framework: MITRE ATT&CKTM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
Sub-technique:
- Name: Rundll32
- ID: T1218.011
- Reference URL: https://attack.mitre.org/techniques/T1218/011/