Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Regsvr32 Rundll32 with Anomalous Parent Process

Regsvr32 Rundll32 with Anomalous Parent Process

Back
Id2624fc55-0998-4897-bb48-1c6422befce4
RulenameRegsvr32 Rundll32 with Anomalous Parent Process
DescriptionThis analytical rule looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.

Blog: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
SeverityHigh
TacticsDefenseEvasion
TechniquesT1218.010
T1218.011
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml
Version1.0.0
Arm template2624fc55-0998-4897-bb48-1c6422befce4.json
Deploy To Azure
DeviceProcessEvents
| where FileName has_any ("rundll32.exe","regsvr32.exe")
| where InitiatingProcessFileName has_any ("wscript.exe","powershell.exe","cmd.exe","pwsh.exe","cscript.exe")
| project TimeGenerated, DeviceName, InvestigatedProcessName=FileName, InvestigatedProcessCommandLine = ProcessCommandLine,InvestigatedProcessStartTime = ProcessCreationTime, InvestigatedProcessId = ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| join (
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
| project DeviceName, InvestigatedProcessName=InitiatingProcessFileName, InvestigatedProcessCommandLine = InitiatingProcessCommandLine,InvestigatedProcessStartTime = InitiatingProcessCreationTime, InvestigatedProcessId = InitiatingProcessId, LocalIP, RemoteIP, RemoteUrl
) on DeviceName, InvestigatedProcessCommandLine, InvestigatedProcessId, InvestigatedProcessName, InvestigatedProcessStartTime
| project-away DeviceName1, InvestigatedProcessCommandLine1, InvestigatedProcessId1, InvestigatedProcessName1, InvestigatedProcessStartTime1
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

description: |
  This analytical rule looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.
  Blog: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/  
kind: Scheduled
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
  - DeviceNetworkEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml
severity: High
name: Regsvr32 Rundll32 with Anomalous Parent Process
triggerThreshold: 0
queryPeriod: 1h
query: |
  DeviceProcessEvents
  | where FileName has_any ("rundll32.exe","regsvr32.exe")
  | where InitiatingProcessFileName has_any ("wscript.exe","powershell.exe","cmd.exe","pwsh.exe","cscript.exe")
  | project TimeGenerated, DeviceName, InvestigatedProcessName=FileName, InvestigatedProcessCommandLine = ProcessCommandLine,InvestigatedProcessStartTime = ProcessCreationTime, InvestigatedProcessId = ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
  | join (
  DeviceNetworkEvents
  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
  | where RemoteIPType == "Public"
  | project DeviceName, InvestigatedProcessName=InitiatingProcessFileName, InvestigatedProcessCommandLine = InitiatingProcessCommandLine,InvestigatedProcessStartTime = InitiatingProcessCreationTime, InvestigatedProcessId = InitiatingProcessId, LocalIP, RemoteIP, RemoteUrl
  ) on DeviceName, InvestigatedProcessCommandLine, InvestigatedProcessId, InvestigatedProcessName, InvestigatedProcessStartTime
  | project-away DeviceName1, InvestigatedProcessCommandLine1, InvestigatedProcessId1, InvestigatedProcessName1, InvestigatedProcessStartTime1
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
relevantTechniques:
- T1218.010
- T1218.011
id: 2624fc55-0998-4897-bb48-1c6422befce4
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
tags:
- Defense Evasion
- Image Load
- Regsvr32 Abuse
- Rundll32 Abuse
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: LocalIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: RemoteIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: RemoteUrl
    identifier: Url