New

The executive guide to generative AI

Read more

Command Shell Activity Started via RunDLL32

edit

Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 7 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Microsoft Windows installers leveraging RunDLL32 for installation.

Investigation guide

edit

Rule query

edit
process where event.type == "start" and process.name : ("cmd.exe",
"powershell.exe") and process.parent.name : "rundll32.exe" and
process.parent.command_line != null and /* common FPs can be added
here */ not process.parent.args :
("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL",
"C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 7 (8.4.0 release)
  • Formatting only
Version 5 (8.2.0 release)
  • Formatting only
Version 4 (7.13.0 release)
  • Updated query, changed from:

    process where event.type in ("start", "process_started") and
    process.name : ("cmd.exe", "powershell.exe") and process.parent.name
    : "rundll32.exe" and /* common FPs can be added here */ not
    process.parent.args :
    "C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL"
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only