Remote DLL Load Via Rundll32.EXE

Hunt Hypothesis

Adversaries may use Rundll32.EXE to load malicious DLLs remotely, leveraging this technique to execute arbitrary code without direct user interaction. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and early-stage compromise attempts.

Detection Rule

Sigma (Original)

title: Remote DLL Load Via Rundll32.EXE
id: f40017b3-cb2e-4335-ab5d-3babf679c1de
status: test
description: Detects a remote DLL load event via "rundll32.exe".
references:
    - https://github.com/gabe-k/themebleed
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-18
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|startswith: '\\\\'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Microsoft 365 Defender)

DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and FolderPath startswith "\\\\"

False Positive Guidance

• Scenario: Scheduled Task Using Rundll32 for GUI Automation
  Description: A legitimate scheduled task uses rundll32.exe to load a DLL for GUI automation (e.g., using rundll32.exe with user32.dll and SendMessage to interact with UI elements).
  Filter/Exclusion: Exclude tasks associated with known automation tools like AutoHotkey or UI Automation frameworks. Use a filter like:

  (ProcessName == "rundll32.exe") and (CommandLine contains "user32.dll") and (ProcessName contains "AutoHotkey")

• Scenario: Admin Task to Load a Trusted DLL for System Maintenance
  Description: An administrator uses rundll32.exe to load a trusted DLL (e.g., a custom logging or monitoring DLL) as part of a system maintenance script.
  Filter/Exclusion: Exclude processes initiated by administrators with known maintenance tools, such as:

  (ProcessName == "rundll32.exe") and (User == "Administrator") and (CommandLine contains "CustomLogDLL.dll")

• Scenario: Remote DLL Load via Rundll32 for Legacy Application Compatibility
  Description: A legacy application uses rundll32.exe to load a DLL for compatibility with older systems (e.g., using rundll32.exe to load a COM DLL).
  Filter/Exclusion: Exclude known legacy applications or COM components, such as:

  (ProcessName == "rundll32.exe") and (CommandLine contains "OLEAUT32.DLL") and (ProcessName contains "LegacyApp.exe")

• Scenario: PowerShell Script Using Rundll32 for DLL Injection
  *Description

MITRE ATT&CK Context

• Tactic: Execution
• Technique: T1204.002