Discovery and Enumeration of System Information via Rundll32¶
Identifies initial system enumeration and discovery commands tied to remote access tools that leverage ``rundll32.exe`.
id: | 35d27938-d13d-4bcd-9be7-3a69d208c63f |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 12/04/2019 |
updated: | 12/04/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Discovery |
---|---|
techniques: | T1087 Account Discovery, T1096 NTFS File Attributes, T1033 System Owner/User Discovery |
Query¶
sequence with maxspan=1h
[process where subtype.create and process_name == "rundll32.exe"] by unique_pid
[network where subtype.outgoing and process_name == "rundll32.exe"] by unique_pid
[process where subtype.create and parent_process_name == "rundll32.exe"] by unique_ppid