Rundll32 Execution Without CommandLine Parameters

Hunt Hypothesis

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

Detection Rule

Sigma (Original)

title: Rundll32 Execution Without CommandLine Parameters
id: 1775e15e-b61b-4d14-a1a3-80981298085a
status: test
description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
references:
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/ber_m1ng/status/1397948048135778309
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2023-08-31
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith:
            - '\rundll32.exe'
            - '\rundll32.exe"'
            - '\rundll32'
    filter:
        ParentImage|contains:
            - '\AppData\Local\'
            - '\Microsoft\Edge\'
    condition: selection and not filter
falsepositives:
    - Possible but rare
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine endswith "\\rundll32.exe" or TargetProcessCommandLine endswith "\\rundll32.exe\"" or TargetProcessCommandLine endswith "\\rundll32") and (not(((ParentProcessName contains "\\AppData\\Local\\" or ParentProcessName contains "\\Microsoft\\Edge\\") or (ActingProcessName contains "\\AppData\\Local\\" or ActingProcessName contains "\\Microsoft\\Edge\\"))))

Required Data Sources

False Positive Guidance

• Possible but rare

MITRE ATT&CK Context

• Technique: T1202 — T1202

References

• https://www.cobaltstrike.com/help-opsec
• https://twitter.com/ber_m1ng/status/1397948048135778309
• SigmaHQ Rule