Threat Huntmediumtest
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_image:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cmdline:
CommandLine|contains: 'DllRegisterServer'
filter_main_legit_paths:
CommandLine|contains:
- ':\Program Files (x86)'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
condition: all of selection_* and not 1 of filter_main_*False Positives
Legitimate usage as part of application installation, but less likely from e.g. temporary paths.
Not every instance is considered malicious, but this rule will capture the malicious usages.
MITRE ATT&CK
Tactics
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
d81a9fc6-55db-4461-b962-0e78fea5b0ad
Status
test
Level
medium
Type
Threat Hunt
Created
Tue Oct 17
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml
Raw Tags
attack.defense-evasionattack.t1218detection.threat-hunting