[rule] description = """ Identifies unusual instances of RunDLL32 with suspicious keywords or paths in the process command line value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. """ id = "cfaf983e-1129-464c-b0aa-270f42e20d3d" license = "Elastic License v2" name = "RunDLL32 with Unusual Arguments" os_list = ["windows"] reference = [ "https://www.elastic.co/security-labs/dipping-into-danger", "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657", "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", ] version = "1.0.43" query = ''' process where event.action == "start" and process.name : "rundll32.exe" and ( /* suspicious extensions and paths */ (process.command_line : "*\\AppData\\Local\\Temp\\*,*" and not process.command_line : "*.dll*") or process.command_line : ("*.jpg*,*", "*.png*,*", "*.gif*,*", "*.bmp*,*", "*.jpeg*,*", "*.TIFF*,*", "*.tmp*,*", "*.dat*,*", "*.txt*,*", "* ?:/*/*", "* ..\\*", "*:\\Users\\Public\\*,*", "*:\\Users\\*\\Documents\\*,*", "*:\\Users\\*\\Pictures\\*,*", "*:\\Users\\*\\Music\\*,*", "*:\\Windows\\Tasks\\*,*", "*:\\Windows\\System32\\tasks\\*,*", "*:\\Documents and Settings\\*,*", "*\\@SSL\\DavWWWRoot\\*", /* Issue #371 */ "*.bin,*", "*.log,*", "*.nki,*", "*\\M?-*.dll,_run@*", "*%TEMP%\\*.cpl*", "*\\Users\\*\\Downloads\\*.cpl*", "*\\appdata\\roaming\\microsoft\\templates\\*,*", /* DLL exec by ordinal */ "* #*", "*,#*") or process.command_line like "*rUNdlL32.eXe*" or /* fake Control_RunDLL export */ (process.command_line : "*Control_RunDLL*" and not process.command_line : "*shell32.dll*Control_RunDLL*") or /* delayed execution */ (process.parent.name : "cmd.exe" and process.parent.args : ("timeout", "ping", "choice") and process.parent.args : ("/nobreak", "/n", "/t")) or /* execution from temp with suspicious parent process tree */ (process.command_line : "*\\AppData\\Local\\Temp\\*" and process.parent.name : ("wscript.exe", "cscript.exe", "wmiprvse.exe")) or /* suspicious parent powershell args */ (process.parent.name : "powershell.exe" and process.parent.args : ("-enc", "IEX", "*wp-content*", "*wp-admin*", "*wp-includes*", "*$*$*$*$*$*", "*^*^*^*^*^*^*^*^*^*", "*.replace*") and not (process.args : "UpdatePerUserSystemParameters" and process.args : "USER32.DLL")) ) /* False Positives */ and not process.command_line : ("*JOBID=*", "*davclnt.dll,DavSetCookie*", "*PhotoViewer*ImageView_Fu*", "*url.dll,FileProtocolHandler*", "*zzzzInvokeManagedCustomActionOutOfProc*", "*,DeferredDelete*", "*:\\WINDOWS\\system32\\spool\\*", "*:\\Program Files (x86)\\*", "*:\\Program Files\\*", /* Issue #282 - FP */ "*cryptext*CryptExt*", "*dfshim.dll*ShOpenVerbShortcut*", "*\\Documents\\DocuShare\\*", /* Issue #371 */ "*ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile*", "*FirewallControlPanel.dll,ShowNotificationDialog*", "*--type=renderer*--log-file=*", "*--lang=*--log-file=*", "*shell32*OpenAs_RunDLL*", "*dfshim*ShOpenVerbExtension*", "*printui*PrintUIEntry*", "*mshtml*PrintHTML*", "*shell32*#44*", "*shell32.dll*ShellExec_RunDLL*#*", "*EDGEHTML*#*" ) and not (process.command_line : "*.tmp*" and process.parent.executable : ("?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\SysWOW64\\msiexec.exe") and process.parent.args : "-Embedding") and not process.args : "?:\\ProgramData\\Parallels\\RASLogs\\tmp*.tmp,StopMemshell" and not (process.args : "?:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\Windows_*\\acsnative.dll*" and process.parent.executable : "?:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\Windows_*\\acslaunch_*.exe") and not process.parent.executable : ("?:\\Program Files\\Common Files\\BullGuardInstall\\BullGuard*.exe", "?:\\Program Files (x86)\\Intuit\\QuickBooks 20??\\QBW??.EXE", "?:\\Program Files\\Intuit\\QuickBooks 2022\\QBW.EXE", "C:\\Users\\Public (x86)\\Spectra\\temp\\smsx.exe") and not (user.name : "user" and process.args : "file.dll,#*") and not (process.name : "rundll32.exe" and process.args : "uxtheme.dll,#64" and process.args : "?:\\WINDOWS\\Resources\\Themes\\*") and not process.parent.executable : ("?:\\Program Files\\NVIDIA Corporation\\*.exe", "?:\\Program Files (x86)\\Windows Media Components\\Encoder\\wmstypelib.exe", "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AdobeCollabSync.exe") and not (process.name : "rundll32.exe" and process.args : ("dfshim.dll,ShArpMaintain", "?:\\WINDOWS\\SYSTEM32\\MSHTML.dll,#125", "dfshim.dll,ShOpenVerbApplication", "?:\\WINDOWS\\System32\\shimgvw.dll,ImageView_PrintTo", "?:\\Windows\\System32\\DriverStore\\FileRepository\\*", "?:\\Windows\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification", "c:\\EWDK??\\Program Files\\Microsoft Visual Studio\\*,#1", "?:\\ProgramData\\FastTrack Software\\Admin By Request\\ShellHelper32.dll,#1", "?:\\ProgramData\\FastTrack Software\\Admin By Request\\ShellHelper64.dll,#1", "C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\Windows_x86-64\\acsnative.dll,", "C:\\Windows\\TEMP\\*.tmp\\uninshlp.dll,DeleteExeAndDeleteSelf", "?:\\Users\\*\\AppData\\Local\\Temp\\ns*.tmp\\BgInstallAssist.dll,RunDll_*", "?:\\WINDOWS\\Installer\\MSI*.tmp*")) and not (process.name : "rundll32.exe" and process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\ns*.tmp\\*" and process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\ns*.tmp") and not (process.parent.executable : "?:\\Program Files*\\Splashtop\\Splashtop Remote\\Client for STB\\strwinclt.exe" and process.args : "?:\\ProgramData\\FastTrack Software\\Admin By Request\\ShellHelper64.dll,#1") and not (process.name : "rundll32.exe" and process.command_line : "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\*\\AppData\\Local\\Temp\\GLF*.tmp\",RunDll32_KillDTG" and process.parent.name : "BelMonitor.exe") and not process.command_line : "rundll32.exe \"C:\\ProgramData\\FastTrack Software\\Admin By Request\\ShellHelper??.dll\",#1" ''' min_endpoint_version = "7.15.0" [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[optional_actions]] action = "rollback" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" [[threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" [threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [internal] min_endpoint_version = "7.15.0"