← Back to SOC feed Coverage →

Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)

kql MEDIUM Azure-Sentinel
T1547
imProcessCreate
microsoftofficial
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at Azure-Sentinel →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

‘This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-m

KQL Query

imProcessCreate
| where Process hassuffix 'rundll32.exe'
| where CommandLine  has_any ('Execute','RegRead','window.close')
| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex

Analytic Rule Definition

id: bdf04f58-242b-4729-b376-577c4bdf5d3a
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
description: |
  'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
  References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
relevantTechniques:
  - T1547
tags:
  - Id: d82e1987-4356-4a7b-bc5e-064f29b143c0
    version: 1.0.0
  - Schema: ASIMProcessEvent
    SchemaVersion: 0.1.0
  - Midnight Blizzard

query: |
  imProcessCreate
  | where Process hassuffix 'rundll32.exe'
  | where CommandLine  has_any ('Execute','RegRead','window.close')
  | project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
  | project-away DomainIndex
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: User
      - identifier: Name
        columnName: AccountName
      - identifier: NTDomain
        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Dvc
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: HostNameDomain
version: 1.1.6
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Yuval Naor
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Protection" ]

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

MITRE ATT&CK Context

Validation (Atomic Red Team)

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml