System Binary Proxy Execution: Rundll32 T1218.011

Events covered

13 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 124 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (46 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (817 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (246 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 43 rules

• APT29 2018 Phishing Campaign CommandLine Indicators
• APT29 2018 Phishing Campaign File Indicators
• Bad Opsec Defaults Sacrificial Processes With Improper Arguments
• CobaltStrike Load by Rundll32
• Code Execution via Pcwutl.dll
• DLL Call by Ordinal Via Rundll32.EXE
• Equation Group DLL_U Export Function Load
• EvilNum APT Golden Chickens Deployment Via OCX Files
• Fireball Archer Install
• HackTool - F-Secure C3 Load by Rundll32
• HackTool - RedMimicry Winnti Playbook Execution
• HTML Help HH.EXE Suspicious Child Process
• IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
• Kapeka Backdoor Execution Via RunDLL32.EXE
• Kapeka Backdoor Loaded Via Rundll32.EXE
• NotPetya Ransomware Activity
• Outbound Network Connection To Public IP Via Winlogon
• Potential Bumblebee Remote Thread Creation
• Potential Emotet Rundll32 Execution
• Potential PowerShell Execution Via DLL
• Potential Raspberry Robin CPL Execution Activity
• Potentially Suspicious Rundll32 Activity
• Potentially Suspicious Rundll32.EXE Execution of UDL File
• Process Access via TrolleyExpress Exclusion
• Remote Thread Creation Via PowerShell In Uncommon Target
• Rhadamanthys Stealer Module Launch Via Rundll32.EXE
• Rundll32 Execution With Uncommon DLL Extension
• Rundll32 InstallScreenSaver Execution
• Rundll32 Internet Connection
• RunDLL32 Spawning Explorer
• Rundll32 UNC Path Execution
• SCR File Write Event
• ScreenSaver Registry Key Set
• Shell32 DLL Execution in Suspicious Directory
• Sofacy Trojan Loader Activity
• Suspicious Control Panel DLL Load
• Suspicious HH.EXE Execution
• Suspicious Rundll32 Activity Invoking Sys File
• Suspicious Rundll32 Execution With Image Extension
• Suspicious Rundll32 Setupapi.dll Activity
• Suspicious ShellExec_RunDLL Call Via Ordinal
• Unsigned DLL Loaded by Windows Utility
• ZxShell Malware

Elastic 29 rules

• Command Shell Activity Started via RunDLL32
• Delayed Execution via Ping
• Execution from Unusual Directory - Command Line
• Execution of Persistent Suspicious Program
• Execution via GitHub Actions Runner
• Execution via Microsoft DotNet ClickOnce Host
• Execution via OpenClaw Agent
• File or Directory Deletion Command
• Potential Command and Control via Internet Explorer
• Potential Credential Access via Renamed COM+ Services DLL
• Potential Credential Access via Windows Utilities
• Potential Local NTLM Relay via HTTP
• Potential Protocol Tunneling via Yuze
• Rare Connection to WebDAV Target
• Script Execution via Microsoft HTML Application
• Service Control Spawned via Script Interpreter
• Suspicious .NET Code Compilation
• Suspicious Execution from a Mounted Device
• Suspicious Execution from VS Code Extension
• Suspicious Explorer Child Process
• Suspicious JetBrains TeamCity Child Process
• Suspicious Microsoft HTML Application Child Process
• Suspicious MS Office Child Process
• Suspicious ScreenConnect Client Child Process
• Suspicious Shell Execution via Velociraptor
• Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
• Unusual Child Processes of RunDLL32
• Unusual Network Connection via RunDLL32
• Windows Server Update Service Spawning Suspicious Processes

Splunk 50 rules

• Control_RunDLL Call from Command Line (Sysmon)
• Control_RunDLL Call from Command Line (Windows Event Log)
• DLL Called with RS32 (PowerShell)
• DLL Called with RS32 (Sysmon)
• DLL Called with RS32 (Windows Event Log)
• DLL Called with Uncommon Function (PowerShell)
• DLL Called with Uncommon Function (Sysmon)
• DLL Called with Uncommon Function (Windows Event Log)
• DLL Execution from Uncommon Process (PowerShell)
• DLL Execution from Uncommon Process (Sysmon)
• DLL Execution from Uncommon Process (Windows Event Log)
• DLLRegisterServer Called from Command Line (PowerShell)
• DLLRegisterServer Called from Command Line (Sysmon)
• DLLRegisterServer Called from Command Line (Windows Event Log)
• Executable Process from Suspicious Folder (PowerShell)
• Executable Process from Suspicious Folder (Sysmon)
• Executable Process from Suspicious Folder (Windows Event Log)
• RunDLL Loading DLL By Ordinal
• Rundll32 Command Line (PowerShell)
• Rundll32 Command Line (Sysmon)
• Rundll32 Command Line (Windows Event Log)
• Rundll32 Control RunDLL Hunt
• Rundll32 Control RunDLL World Writable Directory
• Rundll32 DNSQuery
• Rundll32 LockWorkStation
• Rundll32 Process Creating Exe Dll Files
• Rundll32 Suspicious Command Line (PowerShell)
• Rundll32 Suspicious Command Line (Sysmon)
• Rundll32 Suspicious Command Line (Windows Event Log)
• rundll32 Suspicious Parent Process (Sysmon)
• rundll32 Suspicious Parent Process (Windows Event Log)
• Rundll32 with no Command Line Arguments with Network
• rundll32 with No DLL in Command Line (Sysmon)
• rundll32 with No DLL in Command Line (Windows Event Log)
• Rundll32.exe as Parent Process (Sysmon)
• Rundll32.exe as Parent Process (Windows Event Log)
• rundll32.exe Executing DLL from Non-standard Directory (PowerShell)
• rundll32.exe Executing DLL from Non-standard Directory (Sysmon)
• rundll32.exe Executing DLL from Non-standard Directory (Windows Event Log)
• Suspicious IcedID Rundll32 Cmdline
• Suspicious Rundll32 dllregisterserver
• Suspicious Rundll32 no Command Line Arguments
• Suspicious Rundll32 PluginInit
• Suspicious Rundll32 StartW
• Windows Application Whitelisting Bypass Attempt via Rundll32
• Windows LOLBAS Executed As Renamed File
• Windows LOLBAS Executed Outside Expected Path
• Windows Rundll32 Apply User Settings Changes
• Windows Rundll32 Load DLL in Temp Dir
• Windows Rundll32 with Non-Standard File Extension

Kusto 2 rules

• Regsvr32 Rundll32 Image Loads Abnormal Extension
• Regsvr32 Rundll32 with Anomalous Parent Process