Rundll32 Control RunDLL World Writable Directory: endpointEndpointrisk_score:802024-11-28version:5
The following analytic detects the execution of rundll32.exe with the `Control_RunDLL` command, loading files from world-writable directories such as windows\temp, programdata, or appdata. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process command-line data and specific directory paths. This activity is significant as it may indicate an attempt to exploit CVE-2021-40444 or similar vulnerabilities, allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.
Rundll32 with no Command Line Arguments with Network: endpointEndpointrisk_score:702024-11-28version:7
The following analytic detects the execution of rundll32.exe without command line arguments, followed by a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry and network traffic data. It is significant because rundll32.exe typically requires arguments to function, and its absence is often associated with malicious activity, such as Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to establish unauthorized network connections, potentially leading to data exfiltration or further compromise of the system.
Detect Rundll32 Application Control Bypass - advpack: endpointEndpointrisk_score:802024-11-28version:6
The following analytic detects the execution of rundll32.exe loading advpack.dll or ieadvpack.dll via the LaunchINFSection function. This method is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate script content, network connections, and any spawned child processes for further context.
Detect Rundll32 Application Control Bypass - setupapi: endpointEndpointrisk_score:802024-11-28version:6
The following analytic detects the execution of rundll32.exe loading setupapi.dll and iesetupapi.dll via the LaunchINFSection function. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events and command-line arguments. This activity is significant as it indicates a potential application control bypass, allowing an attacker to execute arbitrary script code. If confirmed malicious, this technique could enable code execution, privilege escalation, or persistence within the environment, posing a severe threat to system integrity and security.
RunDLL Loading DLL By Ordinal: endpointEndpointrisk_score:492024-09-30version:8
The following analytic detects rundll32.exe loading a DLL export function by ordinal value. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant because adversaries may use rundll32.exe to execute malicious code while evading security tools that do not monitor this process. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.
Detect Rundll32 Application Control Bypass - syssetup: endpointEndpointrisk_score:802024-11-28version:6
The following analytic detects the execution of rundll32.exe loading syssetup.dll via the LaunchINFSection function. This method is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate the script content, network connections, and any spawned child processes for further context.
Suspicious Rundll32 Rename: endpointEndpointrisk_score:632024-10-17version:6
The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.
Dump LSASS via comsvcs DLL: endpointEndpointrisk_score:802024-11-28version:6
The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.
Suspicious Rundll32 dllregisterserver: endpointEndpointrisk_score:352024-09-30version:5
The following analytic detects the execution of rundll32.exe with the DllRegisterServer command to load a DLL. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to register a malicious DLL, which can be a method for code execution or persistence. If confirmed malicious, an attacker could gain unauthorized code execution, escalate privileges, or maintain persistence within the environment, posing a severe security risk.
Suspicious Rundll32 StartW: endpointEndpointrisk_score:352024-09-30version:5
The following analytic identifies the execution of rundll32.exe with the DLL function names "Start" and "StartW," commonly associated with Cobalt Strike payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it often indicates the presence of malicious payloads, such as Cobalt Strike, which can lead to unauthorized code execution. If confirmed malicious, this activity could allow attackers to inject shellcode, escalate privileges, and maintain persistence within the environment.
Rundll32 Control RunDLL Hunt: endpointEndpointrisk_score:152024-10-17version:4
The following analytic identifies instances of rundll32.exe executing with `Control_RunDLL` in the command line, which is indicative of loading a .cpl or other file types. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as rundll32.exe can be exploited to execute malicious Control Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
Suspicious Rundll32 no Command Line Arguments: endpointEndpointrisk_score:492024-09-30version:5
The following analytic detects the execution of rundll32.exe without any command line arguments. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. It is significant because rundll32.exe typically requires command line arguments to function properly, and its absence is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute arbitrary code, potentially leading to credential dumping, unauthorized file writes, or other malicious actions.
