Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Regsvr32 Rundll32 Image Loads Abnormal Extension

Back
Id36fbd4e7-5630-4414-aa42-702a7fdded21
RulenameRegsvr32 Rundll32 Image Loads Abnormal Extension
DescriptionThis query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.

Joins the data to public network events.

References:

https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
SeverityHigh
TacticsDefenseEvasion
TechniquesT1218.010
T1218.011
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml
Version1.0.0
Arm template36fbd4e7-5630-4414-aa42-702a7fdded21.json
Deploy To Azure
DeviceImageLoadEvents 
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where FileName !endswith ".dll"
| join (
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml
status: Available
id: 36fbd4e7-5630-4414-aa42-702a7fdded21
query: |
  DeviceImageLoadEvents 
  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
  | where FileName !endswith ".dll"
  | join (
  DeviceNetworkEvents
  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
  | where RemoteIPType == "Public"
  ) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
  | project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
tags:
- Defense Evasion
- Image Load
- Regsvr32 Abuse
- Rundll32 Abuse
description: |
  This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.
  Joins the data to public network events.
  References:
  https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/  
name: Regsvr32 Rundll32 Image Loads Abnormal Extension
relevantTechniques:
- T1218.010
- T1218.011
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: LocalIP
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: RemoteIP
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RemoteUrl
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.0
kind: Scheduled
tactics:
- DefenseEvasion
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36fbd4e7-5630-4414-aa42-702a7fdded21')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36fbd4e7-5630-4414-aa42-702a7fdded21')]",
      "properties": {
        "alertRuleTemplateName": "36fbd4e7-5630-4414-aa42-702a7fdded21",
        "customDetails": null,
        "description": "This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.\nJoins the data to public network events.\nReferences:\nhttps://threathunt.blog/running-live-malware-for-threat-hunting-purposes/\n",
        "displayName": "Regsvr32 Rundll32 Image Loads Abnormal Extension",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "LocalIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "RemoteIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RemoteUrl",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml",
        "query": "DeviceImageLoadEvents \n| where InitiatingProcessFileName has_any (\"rundll32.exe\",\"regsvr32.exe\")\n| where FileName !endswith \".dll\"\n| join (\nDeviceNetworkEvents\n| where InitiatingProcessFileName has_any (\"rundll32.exe\",\"regsvr32.exe\")\n| where RemoteIPType == \"Public\"\n) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine\n| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1218.010",
          "T1218.011"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "tags": [
          "Defense Evasion",
          "Image Load",
          "Regsvr32 Abuse",
          "Rundll32 Abuse"
        ],
        "techniques": [
          "T1218"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}