Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Regsvr32 Rundll32 Image Loads Abnormal Extension

Regsvr32 Rundll32 Image Loads Abnormal Extension

Back
Id36fbd4e7-5630-4414-aa42-702a7fdded21
RulenameRegsvr32 Rundll32 Image Loads Abnormal Extension
DescriptionThis query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.

Joins the data to public network events.

References:

https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
SeverityHigh
TacticsDefenseEvasion
TechniquesT1218.010
T1218.011
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml
Version1.0.0
Arm template36fbd4e7-5630-4414-aa42-702a7fdded21.json
Deploy To Azure
DeviceImageLoadEvents 
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where FileName !endswith ".dll"
| join (
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: LocalIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: RemoteIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: RemoteUrl
    identifier: Url
description: |
  This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.
  Joins the data to public network events.
  References:
  https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/  
severity: High
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1218.010
- T1218.011
tags:
- Defense Evasion
- Image Load
- Regsvr32 Abuse
- Rundll32 Abuse
status: Available
tactics:
- DefenseEvasion
name: Regsvr32 Rundll32 Image Loads Abnormal Extension
id: 36fbd4e7-5630-4414-aa42-702a7fdded21
query: |
  DeviceImageLoadEvents 
  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
  | where FileName !endswith ".dll"
  | join (
  DeviceNetworkEvents
  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
  | where RemoteIPType == "Public"
  ) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
  | project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml
queryPeriod: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36fbd4e7-5630-4414-aa42-702a7fdded21')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36fbd4e7-5630-4414-aa42-702a7fdded21')]",
      "properties": {
        "alertRuleTemplateName": "36fbd4e7-5630-4414-aa42-702a7fdded21",
        "customDetails": null,
        "description": "This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.\nJoins the data to public network events.\nReferences:\nhttps://threathunt.blog/running-live-malware-for-threat-hunting-purposes/\n",
        "displayName": "Regsvr32 Rundll32 Image Loads Abnormal Extension",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "LocalIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "RemoteIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RemoteUrl",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml",
        "query": "DeviceImageLoadEvents \n| where InitiatingProcessFileName has_any (\"rundll32.exe\",\"regsvr32.exe\")\n| where FileName !endswith \".dll\"\n| join (\nDeviceNetworkEvents\n| where InitiatingProcessFileName has_any (\"rundll32.exe\",\"regsvr32.exe\")\n| where RemoteIPType == \"Public\"\n) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine\n| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1218.010",
          "T1218.011"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "tags": [
          "Defense Evasion",
          "Image Load",
          "Regsvr32 Abuse",
          "Rundll32 Abuse"
        ],
        "techniques": [
          "T1218"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}