Detects rundll32.exe invoked with atypical arguments (.dll, .cpl, javascript:, mshtml). DLLs not normally loaded by rundll32 are mapped into memory. Control_RunDLL or RunHTMLApplication invoked. Suspicious DLLs or scripts accessed from disk or network. Rundll32 reaches out to external domains (e.g., fetching .sct or .hta).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Correlating rundll32 invocation with DLL load or network activity within X seconds. |
| ParentProcessFilter | Limit detection to suspicious parent processes (e.g., explorer.exe, office apps) vs. trusted installers. |
| AllowedDLLs | Baseline list of legitimate DLLs frequently executed by rundll32 in the environment. |
| ExternalIPRange | Scope of external IP ranges considered anomalous for rundll32 network connections. |