regsvr32-rundll32-with-anomalous-parent-process

Hunt Hypothesis

Adversaries may use rundll32.exe or regsvr32.exe, often associated with executing malicious payloads, when spawned by unexpected parent processes like wscript.exe or powershell.exe to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code execution and persistence tactics early in the attack lifecycle.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName has_any ("rundll32.exe","regsvr32.exe")
| where InitiatingProcessFileName has_any ("wscript.exe","powershell.exe","cmd.exe","pwsh.exe","cscript.exe")
| project Timestamp,DeviceName, InvestigatedProcessName=FileName, InvestigatedProcessCommandLine = ProcessCommandLine,InvestigatedProcessStartTime = ProcessCreationTime, InvestigatedProcessId = ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| join (
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
| project DeviceName, InvestigatedProcessName=InitiatingProcessFileName, InvestigatedProcessCommandLine = InitiatingProcessCommandLine,InvestigatedProcessStartTime = InitiatingProcessCreationTime, InvestigatedProcessId = InitiatingProcessId, RemoteIP, RemoteUrl
) on DeviceName, InvestigatedProcessCommandLine, InvestigatedProcessId, InvestigatedProcessName, InvestigatedProcessStartTime
| project-away DeviceName1, InvestigatedProcessCommandLine1, InvestigatedProcessId1, InvestigatedProcessName1, InvestigatedProcessStartTime1

Analytic Rule Definition

id: bef2bd1b-885a-40f4-b48f-6f5564cd81f3
name: regsvr32-rundll32-with-anomalous-parent-process
description: |
  This query looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.
  Blog:
  https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
  - DeviceNetworkEvents
tactics:
- Defense evasion
relevantTechniques:
  - T1218.010
  - T1218.011
query: |
  DeviceProcessEvents
  | where Timestamp > ago(30d)
  | where FileName has_any ("rundll32.exe","regsvr32.exe")
  | where InitiatingProcessFileName has_any ("wscript.exe","powershell.exe","cmd.exe","pwsh.exe","cscript.exe")
  | project Timestamp,DeviceName, InvestigatedProcessName=FileName, InvestigatedProcessCommandLine = ProcessCommandLine,InvestigatedProcessStartTime = ProcessCreationTime, InvestigatedProcessId = ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
  | join (
  DeviceNetworkEvents
  | where Timestamp > ago(30d)
  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
  | where RemoteIPType == "Public"
  | project DeviceName, InvestigatedProcessName=InitiatingProcessFileName, InvestigatedProcessCommandLine = InitiatingProcessCommandLine,InvestigatedProcessStartTime = InitiatingProcessCreationTime, InvestigatedProcessId = InitiatingProcessId, RemoteIP, RemoteUrl
  ) on DeviceName, InvestigatedProcessCommandLine, InvestigatedProcessId, InvestigatedProcessName, InvestigatedProcessStartTime
  | project-away DeviceName1, InvestigatedProcessCommandLine1, InvestigatedProcessId1, InvestigatedProcessName1, InvestigatedProcessStartTime1

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Defense evasion
Technique: T1218.010 — T1218.010
Technique: T1218.011 — T1218.011

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Defense evasion/regsvr32-rundll32-with-anomalous-parent-process.yaml)

False Positive Guidance

Scenario: Legitimate Script Execution via PowerShell
Description: A system administrator uses PowerShell to run a legitimate script that spawns rundll32.exe or regsvr32.exe as part of a routine maintenance task.
Filter/Exclusion: Exclude processes where the parent is powershell.exe and the command line includes known administrative tools like PowerShell.exe -Command or Invoke-Command with whitelisted scripts.
Scenario: Scheduled Task Running a Legacy Application
Description: A scheduled task, configured via Task Scheduler, runs a legacy application that uses regsvr32.exe to register a COM component.
Filter/Exclusion: Exclude processes where the parent is schtasks.exe or taskhost.exe and the command line includes known COM registration commands like regsvr32.exe /s <dllname>.dll.
Scenario: Admin Task Using CMD to Register a DLL
Description: An administrator uses the command prompt to register a DLL using regsvr32.exe as part of a software deployment or configuration task.
Filter/Exclusion: Exclude processes where the parent is cmd.exe and the command line includes regsvr32.exe with a known, whitelisted DLL path.
Scenario: Running a Trusted Application via WScript
Description: A trusted application (e.g., a custom tool or script) is launched via wscript.exe to execute a script that spawns rundll32.exe as part of its normal operation.
Filter/Exclusion: Exclude processes where the parent is wscript.exe and the script path is known to be part of a trusted application or internal toolset.
Scenario: PowerShell Remoting Session with Scheduled Job
Description: A PowerShell rem