HUNTS- Rundll32 (T1085)
HUNTS- Rundll32 (T1085)
Version 1.0
ATT&CK Technique: Rundll32 (T1085)
What this playbook hunts for:
-
Processes spawned by Rundll32.exe where the executable does not reside in a standard directory. Rundll32.exe can be used to execute malicious code. Rundll32.exe is an example of a Living of the Land (LOL) binary, which are native Windows executables that are rarely blocked by Applocker or anti-virus software.
How the playbook works:
-
Generates SIEM query for Sysmon Event ID 1 logs where Rundll32.exe is a parent process of an executable that does not reside in a standard folder
What results are expected:
-
Name, process ID, and path of the process spawned by Rundll32.exe
-
Command line arguments for Rundll32.exe
-
MD5 hash of the process spawned by Rundll32.exe
-
Child process spawn time
-
Hostname of the computer where Rundll32.exe was executed
-
User account that was used to execute Rundll32.exe
Common follow-on actions:
-
Acquire forensic image
-
Sandbox file
-
Get running processes
-
Get network connections
-
Quarantine host
What inputs are necessary:
-
SIEM
-
Logs: Sysmon Event ID 1: Process creation
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
What configurations are needed:
-
Sysmon logging enabled
False Positive Potential: Medium to High
-
Depending upon the organization’s policies regarding execution of files outside of Windows directories and Program Files, execution of files with Rundll32.exe as a parent process may be relatively common. In these instances, extensive whitelisting should be applied prior to executing this playbook.