Volver al hub

LOLBin Rundll32

This query detects the use of Rundll32 from parents that are known for misuse.

EDRhuntingT1218.011T1564.004
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win and ImageFileName=/rundll32.exe/i
| in(ParentBaseFileName, values=["cmd.exe","winword.exe","powerpnt.exe","excel.exe","outlook.exe","mshta.exe","cscript.exe","wscript.exe"])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.