title: Application Executed Non-Executable Extension
id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
status: experimental
description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file
references:
    - https://twitter.com/mrd0x/status/1481630810495139841?s=12
author: Tim Shelton, Florian Roth
date: 2022/01/13
modified: 2022/01/27
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
    filter_empty:
        CommandLine: null
    filter:
        - CommandLine|contains: '.dll'
        - CommandLine: ''
    filter_iexplorer:
        ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe'
        CommandLine|contains: '.cpl'
    condition: selection and not 1 of filter*
fields:
    - Image
    - CommandLine
falsepositives:
    - Unknown
level: high