Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_rundll32_spawn_explorer/
RunDLL32 Spawning Explorer | Detection.FYI
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
detection fyirundll32spawningexplorer
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32/
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module | Detection.FYI
Detects Obfuscated Powershell via use Rundll32 in Scripts
invoke obfuscation viapowershell module detectionuserundll32fyi
https://attack.mitre.org/techniques/T1218/011/
System Binary Proxy Execution: Rundll32, Sub-technique T1218.011 - Enterprise | MITRE ATT&CK®
system binary proxysub technique t1218enterprise mitre attexecutionrundll32
https://detection.fyi/sigmahq/sigma/emerging-threats/2023/malware/qakbot/proc_creation_win_malware_qakbot_rundll32_execution/
Potential Qakbot Rundll32 Execution | Detection.FYI
Detects specific process tree behavior of a
execution detection fyipotentialqakbotrundll32
https://docs.chocolatey.org/en-us/community-repository/moderation/package-validator/rules/cpmr0065/
Chocolatey Software Docs | CPMR0065 - Usage of Rundll32 (script)
Information on how to remediate the Chocolatey Package Moderation Rule 0065
chocolatey software docsusagerundll32script
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_rundll32_inline_vbs/
Suspicious Rundll32 Invoking Inline VBScript | Detection.FYI
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
detection fyisuspiciousrundll32invokinginline
https://detection.fyi/sigmahq/sigma/emerging-threats/2023/malware/icedid/proc_creation_win_malware_icedid_rundll32_dllregisterserver/
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 | Detection.FYI
Detects RunDLL32.exe executing a single digit DLL named
single digitexecution viadetection fyimalwaresuspicious
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32/
Invoke-Obfuscation Via Use Rundll32 - PowerShell | Detection.FYI
Detects Obfuscated Powershell via use Rundll32 in Scripts
invoke obfuscation viapowershell detection fyiuserundll32
https://detection.fyi/mbabinski/sigma-rules/2024_redcanary_threatdetectionreport/threat_gamarue_rundll32_cmdline/
Gamarue Rundll32.exe Long Commandlines | Detection.FYI
Fortunately for defenders, Gamarue is detectable with endpoint telemetry. The majority of Gamarue activity we see involves rundll32.exe executing with unusual …
detection fyirundll32exelong