The detection identifies potential adversary reconnaissance activity using rundll32.exe to load malicious payloads, indicating an initial compromise attempt. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage Trickbot malware activity and prevent further lateral movement and data exfiltration.
KQL Query
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "rundll32.exe"
// Empty command line
| where InitiatingProcessCommandLine has "rundll32.exe" and InitiatingProcessCommandLine !contains " "
and InitiatingProcessCommandLine != ""
| summarize DestinationIPCount = dcount(RemoteIP), make_set(RemoteIP), make_set(RemoteUrl),
make_set(RemotePort) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 5m)
id: c720f607-7f7b-41c8-bed9-2d9a240d965c
name: recon-with-rundll
description: |
This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated.
Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control (C2) operations.
Trickbot operators are known to use the legitimate Windows process rundll.exe to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a C2 server for further action.
The following query detects suspicious rundll.exe activity associated with Trickbot campaigns.
See Office applications launching wscript.exe to run JScript for another query related to Trickbot activity.
Reference - https://attack.mitre.org/software/S0266/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Discovery
- Collection
- Command and control
query: |
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "rundll32.exe"
// Empty command line
| where InitiatingProcessCommandLine has "rundll32.exe" and InitiatingProcessCommandLine !contains " "
and InitiatingProcessCommandLine != ""
| summarize DestinationIPCount = dcount(RemoteIP), make_set(RemoteIP), make_set(RemoteUrl),
make_set(RemotePort) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 5m)
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of rundll32.exe for system maintenance
Description: A system administrator uses rundll32.exe to run a legitimate DLL file as part of a scheduled maintenance task, such as updating system components or running a cleanup utility.
Filter/Exclusion: Exclude processes where rundll32.exe is used with known legitimate DLLs (e.g., setupapi.dll, msi.dll) and where the process is initiated by a trusted system account or scheduled task.
Scenario: Running a legitimate tool via rundll32.exe
Description: A security tool or enterprise application (e.g., Microsoft Baseline Security Analyzer, Windows Defender) uses rundll32.exe to execute a DLL for scanning or configuration purposes.
Filter/Exclusion: Exclude processes where rundandll32.exe is used with known security tool DLLs (e.g., msseces.dll, mqrt.dll) and where the process is initiated by a trusted user or service account.
Scenario: Scheduled job using rundll32.exe for script execution
Description: A scheduled job runs a script or executable via rundll32.exe to perform routine tasks like log rotation, backup, or system monitoring.
Filter/Exclusion: Exclude processes where rundll32.exe is used with script execution parameters (e.g., shell32.dll with ShellExecuteW) and where the process is associated with a known scheduled task or service.
Scenario: Admin task using rundll32.exe for registry operations
Description: An administrator uses rundll32.exe to modify the registry via a DLL that performs registry edits as part of a configuration change or policy update