limitted. this parameter is not commonly used by windows application but can be used by the network operator.

t1218
t1218.011
endpoint
splunk

Techniques

T1218
T1218.011

Sample rules

Suspicious IcedID Rundll32 Cmdline

source: splunk
technicques:
- T1218
- T1218.011

Description

This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by  Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `suspicious_icedid_rundll32_cmdline_filter`