Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Rundll32 Execution With Image Extension

Detects the execution of Rundll32.exe with DLL files masquerading as image files

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Hieu TranCreated Mon Mar 134aa6040b-3f28-44e3-a769-9208e5feb5ecwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.exe'
    selection_cli:
        CommandLine|contains:
            - '.bmp'
            - '.cr2'
            - '.eps'
            - '.gif'
            - '.ico'
            - '.jpeg'
            - '.jpg'
            - '.nef'
            - '.orf'
            - '.png'
            - '.raw'
            - '.sr2'
            - '.tif'
            - '.tiff'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
zscaler.com
MITRE ATT&CK

Sub-techniques

T1218.011 · Rundll32
Related Rules
SimilarDetectionhigh

Regsvr32 DLL Execution With Suspicious File Extension

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
4aa6040b-3f28-44e3-a769-9208e5feb5ec
Status
test
Level
high
Type
Detection
Created
Mon Mar 13
Author
Hieu Tran
Path
rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml
Raw Tags
attack.defense-evasionattack.t1218.011
View on GitHub