The RunDLL Suspicious Network Connection rule detects potential command and control communication initiated by malware leveraging the RunDLL technique to establish covert network connections. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that could lead to data exfiltration or persistence.
KQL Query
DeviceNetworkEvents
| where InitiatingProcessFileName =~ 'rundll32.exe' and InitiatingProcessCommandLine has ",GlobalOut"
id: d0831db3-009f-40bb-9f82-c66b1f9674cd
name: RunDLL Suspicious Network Connection
description: |
During the chain of events from Bazacall to Bazaloader, RunDLL makes several network connections, including to command and control (C2) infrastructure. The command line for these connections contains a specific process paramter, ",GlobalOut" that can surface potentially malicious activity related to Bazacall and Bazaloader.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Command and control
query: |
DeviceNetworkEvents
| where InitiatingProcessFileName =~ 'rundll32.exe' and InitiatingProcessCommandLine has ",GlobalOut"
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of RunDLL to execute a scheduled job that connects to an internal server for software updates
Filter/Exclusion: Check if the destination IP is within the internal network range and if the process is associated with a known update tool (e.g., Windows Update or Microsoft Endpoint Protection).
Filter Example: destination_ip in (10.0.0.0/8) or process_name contains "wuauclt.exe"
Scenario: Use of RunDLL to launch a remote desktop connection (RDP) to a trusted internal server
Filter/Exclusion: Verify if the connection is to a known internal RDP server and if the process is associated with mstsc.exe or tsclient.exe.
Filter Example: destination_ip in (10.10.0.0/16) and process_name contains "mstsc.exe"
Scenario: Execution of a legitimate system cleanup tool (e.g., CCleaner) via RunDLL that connects to a remote server for license validation
Filter/Exclusion: Confirm if the connection is to a known vendor server (e.g., ccleaner.com) and if the process is associated with ccleaner.exe.
Filter Example: destination_ip == 142.251.42.195 and process_name contains "ccleaner.exe"
Scenario: Administrative task using RunDLL to execute a PowerShell script that connects to a secure internal API for configuration management
Filter/Exclusion: Check if the script is signed by a trusted certificate and if the connection is to a known internal API endpoint (e.g., api.config.management).
Filter Example: process_name contains "powershell.exe" and `destination_ip in (