Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Regsvr32 Rundll32 Image Loads Abnormal Extension

Back
Id36fbd4e7-5630-4414-aa42-702a7fdded21
RulenameRegsvr32 Rundll32 Image Loads Abnormal Extension
DescriptionThis query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.

Joins the data to public network events.

References:

https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
SeverityHigh
TacticsDefenseEvasion
TechniquesT1218.010
T1218.011
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml
Version1.0.0
Arm template36fbd4e7-5630-4414-aa42-702a7fdded21.json
Deploy To Azure
DeviceImageLoadEvents 
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where FileName !endswith ".dll"
| join (
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
| where RemoteIPType == "Public"
) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
id: 36fbd4e7-5630-4414-aa42-702a7fdded21
queryFrequency: 1h
tags:
- Defense Evasion
- Image Load
- Regsvr32 Abuse
- Rundll32 Abuse
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
query: |
  DeviceImageLoadEvents 
  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
  | where FileName !endswith ".dll"
  | join (
  DeviceNetworkEvents
  | where InitiatingProcessFileName has_any ("rundll32.exe","regsvr32.exe")
  | where RemoteIPType == "Public"
  ) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine
  | project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
name: Regsvr32 Rundll32 Image Loads Abnormal Extension
status: Available
kind: Scheduled
description: |
  This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.
  Joins the data to public network events.
  References:
  https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/  
severity: High
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: LocalIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: RemoteIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: RemoteUrl
    identifier: Url
triggerThreshold: 0
queryPeriod: 1h
tactics:
- DefenseEvasion
relevantTechniques:
- T1218.010
- T1218.011
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36fbd4e7-5630-4414-aa42-702a7fdded21')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36fbd4e7-5630-4414-aa42-702a7fdded21')]",
      "properties": {
        "alertRuleTemplateName": "36fbd4e7-5630-4414-aa42-702a7fdded21",
        "customDetails": null,
        "description": "This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.\nJoins the data to public network events.\nReferences:\nhttps://threathunt.blog/running-live-malware-for-threat-hunting-purposes/\n",
        "displayName": "Regsvr32 Rundll32 Image Loads Abnormal Extension",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "LocalIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "RemoteIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RemoteUrl",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml",
        "query": "DeviceImageLoadEvents \n| where InitiatingProcessFileName has_any (\"rundll32.exe\",\"regsvr32.exe\")\n| where FileName !endswith \".dll\"\n| join (\nDeviceNetworkEvents\n| where InitiatingProcessFileName has_any (\"rundll32.exe\",\"regsvr32.exe\")\n| where RemoteIPType == \"Public\"\n) on InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessCommandLine\n| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalIP, LocalPort, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessParentFileName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1218.010",
          "T1218.011"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "tags": [
          "Defense Evasion",
          "Image Load",
          "Regsvr32 Abuse",
          "Rundll32 Abuse"
        ],
        "techniques": [
          "T1218"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}