certain legitimate windows components, third-party applications, or administrative scripts may use rundll32.exe with non-standard or extensionless inputs during normal operation. filtering and contextual analysis are required, focus on command-line arguments, parent process, file location, and prevalence across the environment before determining malicious intent.

Techniques

T1218.011

Sample rules

Windows Rundll32 with Non-Standard File Extension

source: splunk
technicques:
- T1218.011

Description

This analytic identifies the instance of rundll32.exe process loading a non-standard Windows modules file extension. This behavior is not common and can be associated with malicious activities, such as the Gh0st RAT backdoor. This technique is to evade possible detection by security tools that monitors a suspicious dll loading activity.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Endpoint.Processes WHERE

`process_rundll32`
(
    Processes.parent_process_path IN (
        "*:\\PerfLogs\\*",
        "*:\\ProgramData\\*",
        "*:\\Recycle.bin\\*",
        "*:\\Users\\Administrator\\Music\\*",
        "*:\\Users\\Public\\*",
        "*:\\Windows\\Cursors\\*",
        "*:\\Windows\\debug\\*",
        "*:\\Windows\\fonts\\*",
        "*:\\Windows\\INF\\*",
        "*:\\Windows\\Media\\*",
        "*:\\Windows\\Prefetch\\*",
        "*:\\Windows\\repair\\*",
        "*:\\Windows\\Tasks\\*",
        "*\\Temp\\*"
    )
    OR
    Processes.parent_process_name IN (
        "*cmd.exe*",
        "*cscript.exe*",
        "*mshta.exe*",
        "*powershell.exe*",
        "*pwsh.exe*",
        "*regsvr32.exe*",
        "*wscript.exe*"
    )
)
NOT Processes.process IN (
        "*.cpl*",
        "*.dll*",
        "*.drv*",
        "*.inf*",
        "*.mui*",
        "*.ocx*"
    )

BY Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_path
   Processes.process_exec Processes.process_guid Processes.process_hash
   Processes.process_id Processes.process_integrity_level
   Processes.process_path Processes.user Processes.user_id
   Processes.vendor_product Processes.parent_process_name
   Processes.parent_process Processes.process_name Processes.process


| `drop_dm_object_name(Processes)`


| rex field=process "^(?<cmd_base_process>[^\s]+)\s+\"?(?<cmd_base_first_param>[^,^\"^\s]+).*?,(?<cmd_args>.*)$"


| rex field=cmd_base_first_param "^(?<root>[^\\\\]+)\\\\(?<subdirs>[^\\\\]+)"


| eval folder_count = mvcount(split(cmd_base_first_param, "\\"))


| where (
            folder_count = 3
            AND
            NOT lower(subdirs) IN (
                                    "windows",
                                    "program files",
                                    "program files (x86)"
                                )
        )
        OR
        like(cmd_base_first_param, "%:\\ProgramData\\%")
        OR
        like(cmd_base_first_param, "%:\\Users\\Public\\%")
        OR
        like(cmd_base_first_param, "%\\AppData\\Local\\Temp\\%")
        OR
        like(cmd_base_first_param, "%\\AppData\\Roaming\\%")


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_rundll32_with_non_standard_file_extension_filter`