third party application may used this dll export name to execute function.

t1218
t1218.011
endpoint
splunk

Techniques

T1218
T1218.011

Sample rules

Suspicious Rundll32 PluginInit

source: splunk
technicques:
- T1218
- T1218.011

Description

This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by  Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `suspicious_rundll32_plugininit_filter`