LoFP LoFP / false positives may occur if a user called rundll32 from cli with no options

Techniques

Sample rules

Rundll32 Execution Without Parameters

Description

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Detection logic

condition: selection
selection:
  CommandLine:
  - rundll32.exe
  - rundll32