title: HackTool - F-Secure C3 Load by Rundll32
id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
status: test
description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
references:
    - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
author: Alfie Champion (ajpc500)
date: 2021-06-02
modified: 2023-03-05
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'rundll32.exe'
            - '.dll'
            - 'StartNodeRelay'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
related:
    - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
      type: obsolete
status: test
description: |
    Detects attackers using tooling with bad opsec defaults.
    E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
    One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
references:
    - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/CyberRaiju/status/1251492025678983169
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2020-10-23
modified: 2024-08-15
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_werfault:
        Image|endswith: '\WerFault.exe'
        CommandLine|endswith: 'WerFault.exe'
    selection_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    selection_regsvcs:
        Image|endswith: '\regsvcs.exe'
        CommandLine|endswith: 'regsvcs.exe'
    selection_regasm:
        Image|endswith: '\regasm.exe'
        CommandLine|endswith: 'regasm.exe'
    selection_regsvr32:
        Image|endswith: '\regsvr32.exe'
        CommandLine|endswith: 'regsvr32.exe'
    filter_optional_edge_update:
        ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    filter_optional_chromium_installer:
        # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
        ParentImage|contains:
            - '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
            - '\AppData\Local\Google\Chrome\Application\'
        ParentImage|endswith: '\Installer\setup.exe'
        ParentCommandLine|contains: '--uninstall '
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

title: CobaltStrike Load by Rundll32
id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
status: test
description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
references:
    - https://www.cobaltstrike.com/help-windows-executable
    - https://redcanary.com/threat-detection-report/
    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
author: Wojciech Lesicki
date: 2021-06-01
modified: 2022-09-16
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_rundll:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: RUNDLL32.EXE
        - CommandLine|contains:
              - 'rundll32.exe'
              - 'rundll32 '
    selection_params:
        CommandLine|contains: '.dll'
        CommandLine|endswith:
            - ' StartW'
            - ',StartW'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith:
            - '\CertReq.exe'
            - '\CertUtil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\installutil.exe'
            - '\MSbuild.exe'
            - '\MSHTA.EXE'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
    - https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1106
    - attack.t1059.003
    - attack.t1218.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'gthread-3.6.dll'
            - '\Windows\Temp\tmp.bat'
            - 'sigcmm-2.4.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential PowerShell Execution Via DLL
id: 6812a10b-60ea-420c-832f-dfcc33b646ba
status: test
description: |
    Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
    This detection assumes that PowerShell commands are passed via the CommandLine.
references:
    - https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-25
modified: 2024-03-07
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\InstallUtil.exe'
              - '\RegAsm.exe'
              - '\RegSvcs.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
        - OriginalFileName:
              - 'InstallUtil.exe'
              - 'RegAsm.exe'
              - 'RegSvcs.exe'
              - 'REGSVR32.EXE'
              - 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains:
            - 'Default.GetString'
            - 'DownloadString'
            - 'FromBase64String'
            - 'ICM '
            - 'IEX '
            - 'Invoke-Command'
            - 'Invoke-Expression'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Process Access via TrolleyExpress Exclusion
id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
status: test
description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.youtube.com/watch?v=Ie831jF0bb0
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2022-05-13
tags:
    - attack.stealth
    - attack.t1218.011
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
      # We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter
            - '\TrolleyExpress 7'
            - '\TrolleyExpress 8'
            - '\TrolleyExpress 9'
            - '\TrolleyExpress.exe 7'
            - '\TrolleyExpress.exe 8'
            - '\TrolleyExpress.exe 9'
      # Common dumpers
            - '\TrolleyExpress.exe -ma '
    renamed:
        Image|endswith: '\TrolleyExpress.exe'
    filter_renamed:
        OriginalFileName|contains: 'CtxInstall'
    filter_empty:
        OriginalFileName: null
    condition: selection or ( renamed and not 1 of filter* )
falsepositives:
    - Unknown
level: high

title: RunDLL32 Spawning Explorer
id: caa06de8-fdef-4c91-826a-7f9e163eef4b
status: test
description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim, CD_ROM_
date: 2022-04-27
modified: 2022-05-25
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\rundll32.exe'
        Image|endswith: '\explorer.exe'
    filter:
        ParentCommandLine|contains: '\shell32.dll,Control_RunDLL'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Rundll32 UNC Path Execution
id: 5cdb711b-5740-4fb2-ba88-f7945027afac
status: test
description: Detects rundll32 execution where the DLL is located on a remote location (share)
references:
    - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.stealth
    - attack.t1021.002
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
        - CommandLine|contains: 'rundll32'
    selection_cli:
        CommandLine|contains: ' \\\\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Shell32 DLL Execution in Suspicious Directory
id: 32b96012-7892-429e-b26c-ac2bf46066ff
status: test
description: Detects shell32.dll executing a DLL in a suspicious directory
references:
    - https://www.group-ib.com/resources/threat-research/red-curl-2.html
author: Christian Burkard (Nextron Systems)
date: 2021-11-24
modified: 2023-02-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'shell32.dll'
            - 'Control_RunDLL'
        CommandLine|contains:
            - '%AppData%'
            - '%LocalAppData%'
            - '%Temp%'
            - '%tmp%'
            - '\AppData\'
            - '\Temp\'
            - '\Users\Public\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Control Panel DLL Load
id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
status: test
description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
references:
    - https://twitter.com/rikvduijn/status/853251879320662017
    - https://twitter.com/felixw3000/status/853354851128025088
author: Florian Roth (Nextron Systems)
date: 2017-04-15
modified: 2023-02-09
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\System32\control.exe'
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    filter:
        CommandLine|contains: 'Shell32.dll'
    condition: all of selection_* and not filter
falsepositives:
    - Unknown
level: high

title: Suspicious HH.EXE Execution
id: e8a95b5e-c891-46e2-b33a-93937d3abc31
status: test
description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'HH.exe'
        - Image|endswith: '\hh.exe'
    selection_paths:
        CommandLine|contains:
            - '.application'
            - '\AppData\Local\Temp\'
            - '\Content.Outlook\'
            - '\Downloads\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            # - '\AppData\Local\Temp\Temp?_'
            # - '\AppData\Local\Temp\Rar$'
            # - '\AppData\Local\Temp\7z'
            # - '\AppData\Local\Temp\wz'
            # - '\AppData\Local\Temp\peazip-tmp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Rundll32 Activity Invoking Sys File
id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
status: test
description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains: 'rundll32.exe'
    selection2:
        CommandLine|contains:
            - '.sys,'
            - '.sys '
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: Suspicious Rundll32 Execution With Image Extension
id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec
related:
    - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
      type: similar
status: test
description: Detects the execution of Rundll32.exe with DLL files masquerading as image files
references:
    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Hieu Tran
date: 2023-03-13
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.exe'
    selection_cli:
        CommandLine|contains:
            - '.bmp'
            - '.cr2'
            - '.eps'
            - '.gif'
            - '.ico'
            - '.jpeg'
            - '.jpg'
            - '.nef'
            - '.orf'
            - '.png'
            - '.raw'
            - '.sr2'
            - '.tif'
            - '.tiff'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious ShellExec_RunDLL Call Via Ordinal
id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
related:
    - id: d87bd452-6da1-456e-8155-7dc988157b7d
      type: derived
status: test
description: |
    Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
    Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
references:
    - https://redcanary.com/blog/raspberry-robin/
    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
    - https://github.com/SigmaHQ/sigma/issues/1009
    - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
author: Swachchhanda Shrawan Poudel
date: 2024-12-01
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent_img:
        ParentCommandLine|contains: 'SHELL32.DLL'
    selection_parent_ordinal:
        ParentCommandLine|contains:
            # Note: The ordinal number may differ depending on the DLL version
            # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
            - '#568'
            - '#570'
            - '#572'
            - '#576'
    selection_susp_cli_parent:
        # Note: Add additional binaries and suspicious paths to increase coverage
        - ParentCommandLine|contains:
              - 'comspec'
              - 'iex'
              - 'Invoke-'
              - 'msiexec'
              - 'odbcconf'
              - 'regsvr32'
        - ParentCommandLine|contains:
              - '\Desktop\'
              - '\ProgramData\'
              - '\Temp\'
              - '\Users\Public\'
    selection_susp_child_img:
        Image|endswith:
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\curl.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\msxsl.exe'
            - '\odbcconf.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: all of selection_parent_* and 1 of selection_susp_*
falsepositives:
    - Unknown
level: high

title: Code Execution via Pcwutl.dll
id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
status: test
description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
    - https://twitter.com/harr0ey/status/989617817849876488
author: Julia Fomina, oscd.community
date: 2020-10-05
modified: 2023-02-09
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'pcwutl'
            - 'LaunchApplication'
    condition: all of selection_*
falsepositives:
    - Use of Program Compatibility Troubleshooter Helper
level: medium

title: Outbound Network Connection To Public IP Via Winlogon
id: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b
status: test
description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses
references:
    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023-04-28
modified: 2024-03-12
tags:
    - attack.execution
    - attack.command-and-control
    - attack.stealth
    - attack.t1218.011
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\winlogon.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Communication to other corporate systems that use IP addresses from public address spaces
level: medium

title: Potentially Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
status: test
description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
references:
    - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
    - https://twitter.com/Hexacorn/status/885258886428725250
    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
    - https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut
    - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib
    - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen
author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-05-17
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
              - 'javascript:'
              - '.RegisterXLL'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'OpenURLA'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'FileProtocolHandler'
        - CommandLine|contains|all:
              - 'zipfldr.dll'
              - 'RouteTheCall'
        - CommandLine|contains|all:
              - 'shell32.dll'
              - 'Control_RunDLL'
        - CommandLine|contains|all:
              - 'shell32.dll'
              - 'ShellExec_RunDLL'
        - CommandLine|contains|all:
              - 'mshtml.dll'
              - 'PrintHTML'
        - CommandLine|contains|all:
              - 'advpack.dll'
              - 'LaunchINFSection'
        - CommandLine|contains|all:
              - 'advpack.dll'
              - 'RegisterOCX'
        - CommandLine|contains|all:
              - 'ieadvpack.dll'
              - 'LaunchINFSection'
        - CommandLine|contains|all:
              - 'ieadvpack.dll'
              - 'RegisterOCX'
        - CommandLine|contains|all:
              - 'ieframe.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'shdocvw.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'syssetup.dll'
              - 'SetupInfObjectInstallAction'
        - CommandLine|contains|all:
              - 'setupapi.dll'
              - 'InstallHinfSection'
        - CommandLine|contains|all:
              - 'pcwutl.dll'
              - 'LaunchApplication'
        - CommandLine|contains|all:
              - 'dfshim.dll'
              - 'ShOpenVerbApplication'
        - CommandLine|contains|all:
              - 'dfshim.dll'
              - 'ShOpenVerbShortcut'
        - CommandLine|contains|all:
              - 'scrobj.dll'
              - 'GenerateTypeLib'
              - 'http'
        - CommandLine|contains|all:
              - 'shimgvw.dll'
              - 'ImageView_Fullscreen'
              - 'http'
        - CommandLine|contains|all:
              - 'comsvcs.dll'
              - 'MiniDump'
    filter_main_screensaver:
        CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
    filter_main_parent_cpl:  # Settings
        ParentImage: 'C:\Windows\System32\control.exe'
        ParentCommandLine|contains: '.cpl'
        CommandLine|contains|all:
            - 'Shell32.dll'
            - 'Control_RunDLL'
            - '.cpl'
    filter_main_startmenu:
        ParentImage: 'C:\Windows\System32\control.exe'
        CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
        CommandLine|endswith: '.cpl",'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

title: Potentially Suspicious Rundll32.EXE Execution of UDL File
id: 0ea52357-cd59-4340-9981-c46c7e900428
status: test
description: |
    Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
    Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
references:
    - https://trustedsec.com/blog/oops-i-udld-it-again
author: '@kostastsale'
date: 2024-08-16
tags:
    - attack.execution
    - attack.command-and-control
    - attack.stealth
    - attack.t1218.011
    - attack.t1071
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'oledb32.dll'
            - ',OpenDSLFile '
            - '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment.
        CommandLine|endswith: '.udl'
    condition: all of selection_*
falsepositives:
    - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
level: medium

title: Remote Thread Creation Via PowerShell In Uncommon Target
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
related:
    - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
      type: similar
status: test
description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
references:
    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
author: Florian Roth (Nextron Systems)
date: 2018-06-25
modified: 2023-11-10
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.011
    - attack.t1059.001
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetImage|endswith:
            # Note: Please add additional potential interesting targets to increase coverage
            - '\rundll32.exe'
            - '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Rundll32 Execution With Uncommon DLL Extension
id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
status: test
description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
references:
    - https://twitter.com/mrd0x/status/1481630810495139841?s=12
author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
date: 2022-01-13
modified: 2024-04-04
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    filter_main_null:
        CommandLine: null
    filter_main_empty:
        CommandLine: ''
    filter_main_known_extension:
        - CommandLine|contains:
              # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
              - '.cpl '
              - '.cpl,'
              - '.cpl"'
              - ".cpl'"
              - '.dll '
              - '.dll,'
              - '.dll"'
              - ".dll'"
              - '.inf '
              - '.inf,'
              - '.inf"'
              - ".inf'"
        - CommandLine|endswith:
              # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
              - '.cpl'
              - '.dll'
              - '.inf'
    filter_main_localserver:
        CommandLine|contains: ' -localserver '
    filter_main_zzzzInvokeManagedCustomActionOutOfProc:
        ParentImage|endswith: '\msiexec.exe'
        CommandLine|contains|all:
            - ':\Windows\Installer\'
            - '.tmp'
            - 'zzzzInvokeManagedCustomActionOutOfProc'
    filter_optional_EdgeUpdate:
        ParentCommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
            - '\EDGEMITMP_'
            - '.tmp\setup.exe'
            - '--install-archive='
            - '--previous-version='
            - '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Rundll32 InstallScreenSaver Execution
id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221
status: test
description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec'
date: 2022-04-28
modified: 2023-02-09
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains: 'InstallScreenSaver'
    condition: all of selection_*
falsepositives:
    - Legitimate installation of a new screensaver
level: medium

title: Rundll32 Internet Connection
id: cdc8da7d-c303-42f8-b08c-b4ab47230263
status: test
description: Detects a rundll32 that communicates with public IP addresses
references:
    - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-11-04
modified: 2024-03-13
tags:
    - attack.stealth
    - attack.t1218.011
    - attack.execution
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_main_ms_ranges:
        DestinationIp|cidr:
            - '20.0.0.0/8' # Microsoft range, caused some FPs
            - '51.103.0.0/16' # Microsoft AS8075 range, caused some FPs
            - '51.104.0.0/16' # Microsoft AS8075 range, caused some FPs
            - '51.105.0.0/16' # Microsoft AS8075 range, caused some FPs
    filter_main_app_sdb:
        CommandLine|endswith: '\system32\PcaSvc.dll,PcaPatchSdbTask'
    filter_main_azure_managed:
        SourceHostname|endswith: '.internal.cloudapp.net'
    filter_main_svchost_update_processes:
        # Note: This require "ParentImage" data enrichment.
        ParentImage: 'C:\Windows\System32\svchost.exe'
        DestinationPort: 443
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Communication to other corporate systems that use IP addresses from public address spaces
level: medium

title: SCR File Write Event
id: c048f047-7e2a-4888-b302-55f509d4a91d
status: test
description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022-04-27
modified: 2023-08-23
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '.scr'
    filter:
        TargetFilename|contains:
            - ':\$WINDOWS.~BT\NewOS\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
            - ':\WUDownloadCache\' # Windows Update Download Cache
    condition: selection and not filter
falsepositives:
    - The installation of new screen savers by third party software
level: medium

title: ScreenSaver Registry Key Set
id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
status: test
description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
references:
    - https://twitter.com/VakninHai/status/1517027824984547329
    - https://twitter.com/pabraeken/status/998627081360695297
    - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-04
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        Image|endswith: '\rundll32.exe'
    registry:
        TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
        Details|endswith: '.scr'
    filter:
        Details|contains:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and registry and not filter
falsepositives:
    - Legitimate use of screen saver
level: medium

title: Suspicious Rundll32 Setupapi.dll Activity
id: 285b85b1-a555-4095-8652-a8a4106af63f
status: test
description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Setupapi/
    - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
    - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
    - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
author: Konstantin Grishchenko, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\runonce.exe'
        ParentImage|endswith: '\rundll32.exe'
        ParentCommandLine|contains|all:
            - 'setupapi.dll'
            - 'InstallHinfSection'
    condition: selection
falsepositives:
    - Scripts and administrative tools that use INF files for driver installation with setupapi.dll
level: medium

title: Unsigned DLL Loaded by Windows Utility
id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
status: test
description: |
    Detects windows utilities loading an unsigned or untrusted DLL.
    Adversaries often abuse those programs to proxy execution of malicious code.
references:
    - https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
    - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
    - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
author: Swachchhanda Shrawan Poudel
date: 2024-02-28
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1218.011
    - attack.t1218.010
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith:
            # Note: Add additional utilities that allow the loading of DLLs
            - '\InstallUtil.exe'
            - '\RegAsm.exe'
            - '\RegSvcs.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
    filter_main_signed:
        Signed: 'true'
    filter_main_sig_status:
        SignatureStatus:
            - 'errorChaining'
            - 'errorCode_endpoint'
            - 'errorExpired'
            - 'trusted'
            - 'Valid'
    filter_main_signed_null:
        Signed: null
    filter_main_signed_empty:
        Signed:
            - ''
            - '-'
    filter_main_sig_status_null:
        SignatureStatus: null
    filter_main_sig_status_empty:
        SignatureStatus:
            - ''
            - '-'
    filter_main_windows_installer:
        Image:
            - 'C:\Windows\SysWOW64\rundll32.exe'
            - 'C:\Windows\System32\rundll32.exe'
        ImageLoaded|startswith: 'C:\Windows\Installer\'
        ImageLoaded|endswith:
            - '.tmp-\Microsoft.Deployment.WindowsInstaller.dll'
            - '.tmp-\Avira.OE.Setup.CustomActions.dll'
    filter_main_assembly:
        Image|startswith:
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\Microsoft.NET\Framework64'
        Image|endswith: '\RegAsm.exe'
        ImageLoaded|endswith: '.dll'
        ImageLoaded|startswith: 'C:\Windows\assembly\NativeImages'
    filter_optional_klite_codec:
        Image:
            - 'C:\Windows\SysWOW64\regsvr32.exe'
            - 'C:\Windows\System32\regsvr32.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\K-Lite Codec Pack\'
            - 'C:\Program Files\K-Lite Codec Pack\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium