← Back to SOC feed Coverage →

Potentially Suspicious Rundll32 Activity

sigma MEDIUM SigmaHQ
T1218.011
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-19T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Detection Rule

Sigma (Original)

title: Potentially Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
status: test
description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
references:
    - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
    - https://twitter.com/Hexacorn/status/885258886428725250
    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
    - https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut
    - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib
    - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen
author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-05-17
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
              - 'javascript:'
              - '.RegisterXLL'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'OpenURLA'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'FileProtocolHandler'
        - CommandLine|contains|all:
              - 'zipfldr.dll'
              - 'RouteTheCall'
        - CommandLine|contains|all:
              - 'shell32.dll'
              - 'Control_RunDLL'
        - CommandLine|contains|all:
              - 'shell32.dll'
              - 'ShellExec_RunDLL'
        - CommandLine|contains|all:
              - 'mshtml.dll'
              - 'PrintHTML'
        - CommandLine|contains|all:
              - 'advpack.dll'
              - 'LaunchINFSection'
        - CommandLine|contains|all:
              - 'advpack.dll'
              - 'RegisterOCX'
        - CommandLine|contains|all:
              - 'ieadvpack.dll'
              - 'LaunchINFSection'
        - CommandLine|contains|all:
              - 'ieadvpack.dll'
              - 'RegisterOCX'
        - CommandLine|contains|all:
              - 'ieframe.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'shdocvw.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'syssetup.dll'
              - 'SetupInfObjectInstallAction'
        - CommandLine|contains|all:
              - 'setupapi.dll'
              - 'InstallHinfSection'
        - CommandLine|contains|all:
              - 'pcwutl.dll'
              - 'LaunchApplication'
        - CommandLine|contains|all:
              - 'dfshim.dll'
              - 'ShOpenVerbApplication'
        - CommandLine|contains|all:
              - 'dfshim.dll'
              - 'ShOpenVerbShortcut'
        - CommandLine|contains|all:
              - 'scrobj.dll'
              - 'GenerateTypeLib'
              - 'http'
        - CommandLine|contains|all:
              - 'shimgvw.dll'
              - 'ImageView_Fullscreen'
              - 'http'
        - CommandLine|contains|all:
              - 'comsvcs.dll'
              - 'MiniDump'
    filter_main_screensaver:
        CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
    filter_main_parent_cpl:  # Settings
        ParentImage: 'C:\Windows\System32\control.exe'
        ParentCommandLine|contains: '.cpl'
        CommandLine|contains|all:
            - 'Shell32.dll'
            - 'Control_RunDLL'
            - '.cpl'
    filter_main_startmenu:
        ParentImage: 'C:\Windows\System32\control.exe'
        CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
        CommandLine|endswith: '.cpl",'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessCommandLine contains "javascript:" and TargetProcessCommandLine contains ".RegisterXLL") or (TargetProcessCommandLine contains "url.dll" and TargetProcessCommandLine contains "OpenURL") or (TargetProcessCommandLine contains "url.dll" and TargetProcessCommandLine contains "OpenURLA") or (TargetProcessCommandLine contains "url.dll" and TargetProcessCommandLine contains "FileProtocolHandler") or (TargetProcessCommandLine contains "zipfldr.dll" and TargetProcessCommandLine contains "RouteTheCall") or (TargetProcessCommandLine contains "shell32.dll" and TargetProcessCommandLine contains "Control_RunDLL") or (TargetProcessCommandLine contains "shell32.dll" and TargetProcessCommandLine contains "ShellExec_RunDLL") or (TargetProcessCommandLine contains "mshtml.dll" and TargetProcessCommandLine contains "PrintHTML") or (TargetProcessCommandLine contains "advpack.dll" and TargetProcessCommandLine contains "LaunchINFSection") or (TargetProcessCommandLine contains "advpack.dll" and TargetProcessCommandLine contains "RegisterOCX") or (TargetProcessCommandLine contains "ieadvpack.dll" and TargetProcessCommandLine contains "LaunchINFSection") or (TargetProcessCommandLine contains "ieadvpack.dll" and TargetProcessCommandLine contains "RegisterOCX") or (TargetProcessCommandLine contains "ieframe.dll" and TargetProcessCommandLine contains "OpenURL") or (TargetProcessCommandLine contains "shdocvw.dll" and TargetProcessCommandLine contains "OpenURL") or (TargetProcessCommandLine contains "syssetup.dll" and TargetProcessCommandLine contains "SetupInfObjectInstallAction") or (TargetProcessCommandLine contains "setupapi.dll" and TargetProcessCommandLine contains "InstallHinfSection") or (TargetProcessCommandLine contains "pcwutl.dll" and TargetProcessCommandLine contains "LaunchApplication") or (TargetProcessCommandLine contains "dfshim.dll" and TargetProcessCommandLine contains "ShOpenVerbApplication") or (TargetProcessCommandLine contains "dfshim.dll" and TargetProcessCommandLine contains "ShOpenVerbShortcut") or (TargetProcessCommandLine contains "scrobj.dll" and TargetProcessCommandLine contains "GenerateTypeLib" and TargetProcessCommandLine contains "http") or (TargetProcessCommandLine contains "shimgvw.dll" and TargetProcessCommandLine contains "ImageView_Fullscreen" and TargetProcessCommandLine contains "http") or (TargetProcessCommandLine contains "comsvcs.dll" and TargetProcessCommandLine contains "MiniDump")) and (not((TargetProcessCommandLine contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or ((ParentProcessName =~ "C:\\Windows\\System32\\control.exe" or ActingProcessName =~ "C:\\Windows\\System32\\control.exe") and ActingProcessCommandLine contains ".cpl" and (TargetProcessCommandLine contains "Shell32.dll" and TargetProcessCommandLine contains "Control_RunDLL" and TargetProcessCommandLine contains ".cpl")) or ((ParentProcessName =~ "C:\\Windows\\System32\\control.exe" or ActingProcessName =~ "C:\\Windows\\System32\\control.exe") and TargetProcessCommandLine startswith "\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\System32\\" and TargetProcessCommandLine endswith ".cpl\","))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml