[metadata] creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" updated_date = "2024/05/21" [rule] author = ["Elastic"] description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code." false_positives = ["Microsoft Windows installers leveraging RunDLL32 for installation."] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : ("cmd.exe", "powershell.exe") and process.parent.name : "rundll32.exe" and process.parent.command_line != null and /* common FPs can be added here */ not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL", "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/"