Adversaries may use regsvr32.exe or rundll32.exe to load malicious DLLs with non-standard extensions to evade detection and execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code execution attempts that bypass traditional file-based detection mechanisms.
KQL Query
DeviceImageLoadEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where FileName !endswith ".dll"
| join (
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
| project Timestamp, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileNameid: f24f6403-cba0-4f3c-9f88-28782b9ea39a
name: regsvr32-rundll32-image-loads-abnormal-extension
description: |
This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.
Joins the data to public network events.
References:
https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceNetworkEvents
tactics:
- Defense evasion
relevantTechniques:
- T1218.010
- T1218.011
query: |
DeviceImageLoadEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where FileName !endswith ".dll"
| join (
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
| project Timestamp, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName| Sentinel Table | Notes |
|---|---|
DeviceImageLoadEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate DLL registration via regsvr32.exe
Description: A system administrator uses regsvr32.exe to register a valid .dll file as part of a software deployment or update.
Filter/Exclusion: Exclude events where the loaded file has a .dll extension or is signed by a trusted publisher.
Scenario: Scheduled job using rundll32.exe for script execution
Description: A scheduled task uses rundll32.exe to execute a .dll file that contains a script or automation routine (e.g., for system maintenance).
Filter/Exclusion: Exclude events where the file path is known to be part of a legitimate scheduled task or is signed by a trusted vendor.
Scenario: Third-party application using regsvr32.exe for COM object registration
Description: A third-party application (e.g., Adobe Acrobat, Microsoft Office) uses regsvr32.exe to register its own COM components.
Filter/Exclusion: Exclude events where the file path is within the installation directory of known legitimate applications.
Scenario: Malicious DLL injection via a legitimate process
Description: A legitimate process (e.g., explorer.exe, svchost.exe) is used to load a malicious DLL with an abnormal extension as part of a DLL side-loading attack.
Filter/Exclusion: Exclude events where the parent process is a known system service or trusted application.
Scenario: Custom tool using rundll32.exe for plugin loading
Description: A custom internal tool uses rundll32.exe to load a plugin with a non-standard extension (e.g., .plg, .dll) for functionality.
Filter/Exclusion: Exclude events where the file is located in a known internal tool directory