Techniques
Sample rules
Rundll32 Execution Without CommandLine Parameters
- source: sigma
- technicques:
- t1202
Description
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Detection logic
condition: selection and not filter
filter:
ParentImage|contains:
- \AppData\Local\
- \Microsoft\Edge\
selection:
CommandLine|endswith:
- \rundll32.exe
- \rundll32.exe"
- \rundll32