← Library
splApache-2.0from splunk/security_content

Rundll32 Process Creating Exe Dll Files

The following analytic detects a rundll32 process creating executable (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to identify instances where rundll32.exe generates these file types. This activity is significant because rundll32 is often exploited by malware, such as IcedID, to drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, establish persistence, or escalate privileges within the environment.

Quality
43
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/rundll32_process_creating_exe_dll_files.yml
`sysmon` EventCode=11 Image="*rundll32.exe" TargetFilename IN ("*.exe", "*.dll")
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY action dest file_name
       file_path process_guid process_id
       user_id vendor_product
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `rundll32_process_creating_exe_dll_files_filter`