Discovery and Enumeration of System Information via Rundll32

Identifies initial system enumeration and discovery commands tied to remote access tools that leverage ``rundll32.exe`.

id:35d27938-d13d-4bcd-9be7-3a69d208c63f categories:detect confidence:medium os:windows created:12/04/2019 updated:12/04/2019

MITRE ATT&CK™ Mapping

tactics:Discovery techniques:T1087 Account Discovery, T1096 NTFS File Attributes, T1033 System Owner/User Discovery

Query

sequence with maxspan=1h
  [process where subtype.create and process_name == "rundll32.exe"] by unique_pid
  [network where subtype.outgoing and process_name == "rundll32.exe"] by unique_pid
  [process where subtype.create and parent_process_name == "rundll32.exe"] by unique_ppid

Contributors

• Daniel Stepanic

References

• https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql