Regsvr32 Rundll32 Image Loads Abnormal Extension
| Id | 36fbd4e7-5630-4414-aa42-702a7fdded21 |
| Rulename | Regsvr32 Rundll32 Image Loads Abnormal Extension |
| Description | This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/ |
| Severity | High |
| Tactics | DefenseEvasion |
| Techniques | T1218.010 T1218.011 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml |
| Version | 1.0.0 |
| Arm template | 36fbd4e7-5630-4414-aa42-702a7fdded21.json |
DeviceImageLoadEvents
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where FileName !endswith ".dll"
| join (
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
description: |
This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.
Joins the data to public network events.
References:
https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
kind: Scheduled
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceNetworkEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml
severity: High
name: Regsvr32 Rundll32 Image Loads Abnormal Extension
triggerThreshold: 0
queryPeriod: 1h
query: |
DeviceImageLoadEvents
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where FileName !endswith ".dll"
| join (
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
relevantTechniques:
- T1218.010
- T1218.011
id: 36fbd4e7-5630-4414-aa42-702a7fdded21
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
tags:
- Defense Evasion
- Image Load
- Regsvr32 Abuse
- Rundll32 Abuse
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
- entityType: IP
fieldMappings:
- columnName: LocalIP
identifier: Address
- entityType: IP
fieldMappings:
- columnName: RemoteIP
identifier: Address
- entityType: URL
fieldMappings:
- columnName: RemoteUrl
identifier: Url