Adversaries may use rundll32.exe to execute inline VBScript commands as part of initial access or persistence, leveraging the legitimate process to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise from advanced threats like Nobelium-based campaigns.
KQL Query
(union isfuzzy=true
(SecurityEvent
| where EventID == 4688
| where Process =~ 'rundll32.exe'
| where CommandLine has_all ('Execute','RegRead','window.close')
| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId
),
(WindowsEvent
| where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| where Process =~ 'rundll32.exe'
| extend CommandLine = tostring(EventData.CommandLine)
| where CommandLine has_all ('Execute','RegRead','window.close')
| extend SubjectAccount = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
id: d82e1987-4356-4a7b-bc5e-064f29b143c0
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript
description: |
'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvents
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1547
tags:
- Midnight Blizzard
query: |
(union isfuzzy=true
(SecurityEvent
| where EventID == 4688
| where Process =~ 'rundll32.exe'
| where CommandLine has_all ('Execute','RegRead','window.close')
| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId
),
(WindowsEvent
| where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Process=tostring(split(NewProcessName, '\\')[-1])
| where Process =~ 'rundll32.exe'
| extend CommandLine = tostring(EventData.CommandLine)
| where CommandLine has_all ('Execute','RegRead','window.close')
| extend SubjectAccount = strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SubjectAccount
- identifier: Name
columnName: SubjectUserName
- identifier: NTDomain
columnName: SubjectDomainName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: SubjectUserSid
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.1.6
kind: Scheduled
metadata:
source:
kind: Community
author:
| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
WindowsEvent | Ensure this data connector is enabled |
Scenario: Scheduled Task Running VBScript for System Maintenance
Description: A legitimate scheduled task uses rundll32.exe to execute a VBScript that performs system cleanup or patching.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" OR process.parent_process_path:"C:\\Windows\\System32\\schtasks.exe"
Scenario: Microsoft Office Macro Execution via VBScript
Description: A user runs a VBScript through rundll32.exe to execute a macro in Microsoft Office, such as Excel or Word.
Filter/Exclusion: process.name:"excel.exe" OR process.name:"winword.exe" OR process.name:"msaccess.exe"
Scenario: PowerShell Script Execution via VBScript Bridge
Description: A PowerShell script is executed via a VBScript that calls rundll32.exe as part of a legitimate automation workflow.
Filter/Exclusion: process.name:"powershell.exe" OR process.command_line:"powershell.exe"
Scenario: Antivirus or Endpoint Protection VBScript Scan
Description: An endpoint protection tool uses rundll32.exe to execute a VBScript for scanning or updating its virus definitions.
Filter/Exclusion: process.name:"mpsvc.exe" OR process.name:"mpengine.exe" OR process.name:"mpcmdrun.exe"
Scenario: Legacy Application Compatibility Shim
Description: A legacy application uses rundll32.exe with a VBScript to ensure compatibility with older Windows versions or system settings.
Filter/Exclusion: process.name:"notepad.exe" OR process.name:"explorer.exe" OR process.name:"mspaint.exe" (common legacy app launchers)