← Back to SOC feed Coverage →

Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)

kql MEDIUM Azure-Sentinel
T1547
imProcessCreate
microsoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

Adversaries may use rundll32.exe to execute inline VBScript payloads to evade detection and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential T1547-based attacks and disrupt advanced threat operations.

KQL Query

imProcessCreate
| where Process hassuffix 'rundll32.exe'
| where CommandLine  has_any ('Execute','RegRead','window.close')
| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex

Analytic Rule Definition

id: bdf04f58-242b-4729-b376-577c4bdf5d3a
name: Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
description: |
  'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands
  References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
relevantTechniques:
  - T1547
tags:
  - Id: d82e1987-4356-4a7b-bc5e-064f29b143c0
    version: 1.0.0
  - Schema: ASIMProcessEvent
    SchemaVersion: 0.1.0
  - Midnight Blizzard

query: |
  imProcessCreate
  | where Process hassuffix 'rundll32.exe'
  | where CommandLine  has_any ('Execute','RegRead','window.close')
  | project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
  | project-away DomainIndex
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: User
      - identifier: Name
        columnName: AccountName
      - identifier: NTDomain
        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Dvc
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: HostNameDomain
version: 1.1.6
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Yuval Naor
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Protection" ]

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

MITRE ATT&CK Context

Validation (Atomic Red Team)

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml