Rundll Loading DLL By Ordinal

Description

This search looks for executing scripts with rundll32. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

This search looks for executing scripts with rundll32. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Signed Binary Proxy Execution

Rundll32

MITRE Threat Groups

APT19
APT28
APT29
APT3
APT32
Blue Mockingbird
Carbanak
CopyKittens
Gamaredon Group
MuddyWater
Sandworm Team
TA505

Kill Chain Phases

Installation

Data Sources

Endpoint Detection and Response

   Help

Rundll Loading DLL By Ordinal Help

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

   Search

Open in Search