Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Renamed Rundll32 Execution

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Aug 22Updated Fri Feb 032569ed8c-1147-498a-9b8c-2ad3656b10edwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        CommandLine|contains: 'DllRegisterServer'
    filter:
        Image|endswith: '\rundll32.exe'
    condition: selection and not filter
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
twitter.com
2
Resolving title…
app.any.run
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
2569ed8c-1147-498a-9b8c-2ad3656b10ed
Status
test
Level
high
Type
Detection
Created
Mon Aug 22
Modified
Fri Feb 03
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml
Raw Tags
attack.execution
View on GitHub