atomic-threat-coverage/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md

| Title                    | Suspicious Rundll32 Activity       |
|:-------------------------|:------------------|
| **Description**          | Detects suspicious process related to rundll32 based on arguments |
| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
| **ATT&amp;CK Technique** | <ul><li>[T1218.011: Rundll32](https://attack.mitre.org/techniques/T1218/011)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
| **Data Needed**          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
| **Trigger**              | <ul><li>[T1218.011: Rundll32](../Triggers/T1218.011.md)</li></ul>  |
| **Severity Level**       | medium |
| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
| **Development Status**   | experimental |
| **References**           | <ul><li>[http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/](http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/)</li><li>[https://twitter.com/Hexacorn/status/885258886428725250](https://twitter.com/Hexacorn/status/885258886428725250)</li><li>[https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52](https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52)</li></ul>  |
| **Author**               | juju4 |


## Detection Rules

### Sigma rule

```
title: Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
description: Detects suspicious process related to rundll32 based on arguments
status: experimental
references:
    - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
    - https://twitter.com/Hexacorn/status/885258886428725250
    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
tags:
    - attack.defense_evasion
    - attack.execution  # an old one 
    - attack.t1218.011
    - attack.t1085      # an old one 
author: juju4
date: 2019/01/16
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - '*\rundll32.exe* url.dll,*OpenURL *'
            - '*\rundll32.exe* url.dll,*OpenURLA *'
            - '*\rundll32.exe* url.dll,*FileProtocolHandler *'
            - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *'
            - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *'
            - '*\rundll32.exe javascript:*'
            - '* url.dll,*OpenURL *'
            - '* url.dll,*OpenURLA *'
            - '* url.dll,*FileProtocolHandler *'
            - '* zipfldr.dll,*RouteTheCall *'
            - '* Shell32.dll,*Control_RunDLL *'
            - '* javascript:*'
            - '*.RegisterXLL*'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

```


### powershell
    
```
Get-WinEvent | where {($_.message -match "CommandLine.*.*\\\\rundll32.exe.* url.dll,.*OpenURL .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe.* url.dll,.*OpenURLA .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe.* url.dll,.*FileProtocolHandler .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe.* zipfldr.dll,.*RouteTheCall .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe.* Shell32.dll,.*Control_RunDLL .*" -or $_.message -match "CommandLine.*.*\\\\rundll32.exe javascript:.*" -or $_.message -match "CommandLine.*.* url.dll,.*OpenURL .*" -or $_.message -match "CommandLine.*.* url.dll,.*OpenURLA .*" -or $_.message -match "CommandLine.*.* url.dll,.*FileProtocolHandler .*" -or $_.message -match "CommandLine.*.* zipfldr.dll,.*RouteTheCall .*" -or $_.message -match "CommandLine.*.* Shell32.dll,.*Control_RunDLL .*" -or $_.message -match "CommandLine.*.* javascript:.*" -or $_.message -match "CommandLine.*.*.RegisterXLL.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
```


### es-qs
    
```
winlog.event_data.CommandLine.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*)
```


### xpack-watcher
    
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/e593cf51-88db-4ee1-b920-37e89012a3c9 <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Rundll32 Activity",\n    "description": "Detects suspicious process related to rundll32 based on arguments",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1218.011",\n      "attack.t1085"\n    ],\n    "query": "winlog.event_data.CommandLine.keyword:(*\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURL\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\\\\\rundll32.exe\\\\ javascript\\\\:* OR *\\\\ url.dll,*OpenURL\\\\ * OR *\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\ javascript\\\\:* OR *.RegisterXLL*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURL\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\\\\\rundll32.exe\\\\ javascript\\\\:* OR *\\\\ url.dll,*OpenURL\\\\ * OR *\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\ javascript\\\\:* OR *.RegisterXLL*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": [\n          "winlogbeat-*"\n        ]\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "throttle_period": "15m",\n      "email": {\n        "profile": "standard",\n        "from": "root@localhost",\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Rundll32 Activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
```


### graylog
    
```
CommandLine.keyword:(*\\\\rundll32.exe* url.dll,*OpenURL * *\\\\rundll32.exe* url.dll,*OpenURLA * *\\\\rundll32.exe* url.dll,*FileProtocolHandler * *\\\\rundll32.exe* zipfldr.dll,*RouteTheCall * *\\\\rundll32.exe* Shell32.dll,*Control_RunDLL * *\\\\rundll32.exe javascript\\:* * url.dll,*OpenURL * * url.dll,*OpenURLA * * url.dll,*FileProtocolHandler * * zipfldr.dll,*RouteTheCall * * Shell32.dll,*Control_RunDLL * * javascript\\:* *.RegisterXLL*)
```


### splunk
    
```
(CommandLine="*\\\\rundll32.exe* url.dll,*OpenURL *" OR CommandLine="*\\\\rundll32.exe* url.dll,*OpenURLA *" OR CommandLine="*\\\\rundll32.exe* url.dll,*FileProtocolHandler *" OR CommandLine="*\\\\rundll32.exe* zipfldr.dll,*RouteTheCall *" OR CommandLine="*\\\\rundll32.exe* Shell32.dll,*Control_RunDLL *" OR CommandLine="*\\\\rundll32.exe javascript:*" OR CommandLine="* url.dll,*OpenURL *" OR CommandLine="* url.dll,*OpenURLA *" OR CommandLine="* url.dll,*FileProtocolHandler *" OR CommandLine="* zipfldr.dll,*RouteTheCall *" OR CommandLine="* Shell32.dll,*Control_RunDLL *" OR CommandLine="* javascript:*" OR CommandLine="*.RegisterXLL*")
```


### logpoint
    
```
CommandLine IN ["*\\\\rundll32.exe* url.dll,*OpenURL *", "*\\\\rundll32.exe* url.dll,*OpenURLA *", "*\\\\rundll32.exe* url.dll,*FileProtocolHandler *", "*\\\\rundll32.exe* zipfldr.dll,*RouteTheCall *", "*\\\\rundll32.exe* Shell32.dll,*Control_RunDLL *", "*\\\\rundll32.exe javascript:*", "* url.dll,*OpenURL *", "* url.dll,*OpenURLA *", "* url.dll,*FileProtocolHandler *", "* zipfldr.dll,*RouteTheCall *", "* Shell32.dll,*Control_RunDLL *", "* javascript:*", "*.RegisterXLL*"]
```


### grep
    
```
grep -P '^(?:.*.*\\rundll32\\.exe.* url\\.dll,.*OpenURL .*|.*.*\\rundll32\\.exe.* url\\.dll,.*OpenURLA .*|.*.*\\rundll32\\.exe.* url\\.dll,.*FileProtocolHandler .*|.*.*\\rundll32\\.exe.* zipfldr\\.dll,.*RouteTheCall .*|.*.*\\rundll32\\.exe.* Shell32\\.dll,.*Control_RunDLL .*|.*.*\\rundll32\\.exe javascript:.*|.*.* url\\.dll,.*OpenURL .*|.*.* url\\.dll,.*OpenURLA .*|.*.* url\\.dll,.*FileProtocolHandler .*|.*.* zipfldr\\.dll,.*RouteTheCall .*|.*.* Shell32\\.dll,.*Control_RunDLL .*|.*.* javascript:.*|.*.*\\.RegisterXLL.*)'
```
fix #173 2020-04-05 06:17:52 +00:00			`\| Title \| Suspicious Rundll32 Activity \|`
			`\|:-------------------------\|:------------------\|`
			`\| Description \| Detects suspicious process related to rundll32 based on arguments \|`
			`\| ATT&CK Tactic \| <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> \|`
URL to subtechniques fixed 2020-10-06 22:26:25 +00:00			`\| ATT&CK Technique \| <ul><li>[T1218.011: Rundll32](https://attack.mitre.org/techniques/T1218/011)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul> \|`
fix #173 2020-04-05 06:17:52 +00:00			`\| Data Needed \| <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> \|`
rules with subtechniques 2020-09-22 22:53:06 +00:00			`\| Trigger \| <ul><li>[T1218.011: Rundll32](../Triggers/T1218.011.md)</li></ul> \|`
fix #173 2020-04-05 06:17:52 +00:00			`\| Severity Level \| medium \|`
			`\| False Positives \| <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> \|`
			`\| Development Status \| experimental \|`
			\| References \| <ul><li>[http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/](http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/)</li><li>[https://twitter.com/Hexacorn/status/885258886428725250](https://twitter.com/Hexacorn/status/885258886428725250)</li><li>[https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52](https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52)</li></ul> \|
			`\| Author \| juju4 \|`
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00

			`## Detection Rules`

			`### Sigma rule`

			```
			`title: Suspicious Rundll32 Activity`
update DN md template, fix #153 2020-01-14 07:12:24 +00:00			`id: e593cf51-88db-4ee1-b920-37e89012a3c9`
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			`description: Detects suspicious process related to rundll32 based on arguments`
			`status: experimental`
			`references:`
			`- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/`
			`- https://twitter.com/Hexacorn/status/885258886428725250`
			`- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52`
			`tags:`
			`- attack.defense_evasion`
rules with subtechniques 2020-09-22 22:53:06 +00:00			`- attack.execution # an old one`
			`- attack.t1218.011`
			`- attack.t1085 # an old one`
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			`author: juju4`
update confluence and md kb 2020-03-23 03:13:43 +00:00			`date: 2019/01/16`
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`CommandLine:`
			`- '\rundll32.exe url.dll,OpenURL '`
			`- '\rundll32.exe url.dll,OpenURLA '`
			`- '\rundll32.exe url.dll,FileProtocolHandler '`
			`- '\rundll32.exe zipfldr.dll,RouteTheCall '`
			`- '\rundll32.exe Shell32.dll,Control_RunDLL '`
			`- '\rundll32.exe javascript:'`
			`- '* url.dll,OpenURL '`
			`- '* url.dll,OpenURLA '`
			`- '* url.dll,FileProtocolHandler '`
			`- '* zipfldr.dll,RouteTheCall '`
			`- '* Shell32.dll,Control_RunDLL '`
			`- '* javascript:*'`
			`- '.RegisterXLL'`
			`condition: selection`
			`falsepositives:`
			`- False positives depend on scripts and administrative tools used in the monitored environment`
			`level: medium`

			```





#192 for markdown, added powershell to default targets 2020-05-15 01:15:48 +00:00			`### powershell`

			```
			Get-WinEvent \| where {($_.message -match "CommandLine..\\\\rundll32.exe.* url.dll,.OpenURL ." -or $_.message -match "CommandLine..\\\\rundll32.exe.* url.dll,.OpenURLA ." -or $_.message -match "CommandLine..\\\\rundll32.exe.* url.dll,.FileProtocolHandler ." -or $_.message -match "CommandLine..\\\\rundll32.exe.* zipfldr.dll,.RouteTheCall ." -or $_.message -match "CommandLine..\\\\rundll32.exe.* Shell32.dll,.Control_RunDLL ." -or $_.message -match "CommandLine..\\\\rundll32.exe javascript:." -or $_.message -match "CommandLine..* url.dll,.OpenURL ." -or $_.message -match "CommandLine.. url.dll,.OpenURLA ." -or $_.message -match "CommandLine.. url.dll,.FileProtocolHandler ." -or $_.message -match "CommandLine.. zipfldr.dll,.RouteTheCall ." -or $_.message -match "CommandLine.. Shell32.dll,.Control_RunDLL ." -or $_.message -match "CommandLine.. javascript:." -or $_.message -match "CommandLine...RegisterXLL.") } \| select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
			```


get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			`### es-qs`

			```
#192 for markdown, added powershell to default targets 2020-05-15 01:15:48 +00:00			winlog.event_data.CommandLine.keyword:(\\\\rundll32.exe\\ url.dll,OpenURL\\ OR \\\\rundll32.exe\\ url.dll,OpenURLA\\ OR \\\\rundll32.exe\\ url.dll,FileProtocolHandler\\ OR \\\\rundll32.exe\\ zipfldr.dll,RouteTheCall\\ OR \\\\rundll32.exe\\ Shell32.dll,Control_RunDLL\\ OR \\\\rundll32.exe\\ javascript\\: OR \\ url.dll,OpenURL\\ * OR \\ url.dll,OpenURLA\\ * OR \\ url.dll,FileProtocolHandler\\ * OR \\ zipfldr.dll,RouteTheCall\\ * OR \\ Shell32.dll,Control_RunDLL\\ * OR \\ javascript\\: OR .RegisterXLL)
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			```


			`### xpack-watcher`

			```
rules with subtechniques 2020-09-22 22:53:06 +00:00			curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/e593cf51-88db-4ee1-b920-37e89012a3c9 <<EOF\n{\n "metadata": {\n "title": "Suspicious Rundll32 Activity",\n "description": "Detects suspicious process related to rundll32 based on arguments",\n "tags": [\n "attack.defense_evasion",\n "attack.execution",\n "attack.t1218.011",\n "attack.t1085"\n ],\n "query": "winlog.event_data.CommandLine.keyword:(\\\\\\\\rundll32.exe\\\\ url.dll,OpenURL\\\\ OR \\\\\\\\rundll32.exe\\\\ url.dll,OpenURLA\\\\ OR \\\\\\\\rundll32.exe\\\\ url.dll,FileProtocolHandler\\\\ OR \\\\\\\\rundll32.exe\\\\ zipfldr.dll,RouteTheCall\\\\ OR \\\\\\\\rundll32.exe\\\\ Shell32.dll,Control_RunDLL\\\\ OR \\\\\\\\rundll32.exe\\\\ javascript\\\\: OR \\\\ url.dll,OpenURL\\\\ * OR \\\\ url.dll,OpenURLA\\\\ * OR \\\\ url.dll,FileProtocolHandler\\\\ * OR \\\\ zipfldr.dll,RouteTheCall\\\\ * OR \\\\ Shell32.dll,Control_RunDLL\\\\ * OR \\\\ javascript\\\\: OR .RegisterXLL)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "winlog.event_data.CommandLine.keyword:(\\\\\\\\rundll32.exe\\\\ url.dll,OpenURL\\\\ OR \\\\\\\\rundll32.exe\\\\ url.dll,OpenURLA\\\\ OR \\\\\\\\rundll32.exe\\\\ url.dll,FileProtocolHandler\\\\ OR \\\\\\\\rundll32.exe\\\\ zipfldr.dll,RouteTheCall\\\\ OR \\\\\\\\rundll32.exe\\\\ Shell32.dll,Control_RunDLL\\\\ OR \\\\\\\\rundll32.exe\\\\ javascript\\\\: OR \\\\ url.dll,OpenURL\\\\ * OR \\\\ url.dll,OpenURLA\\\\ * OR \\\\ url.dll,FileProtocolHandler\\\\ * OR \\\\ zipfldr.dll,RouteTheCall\\\\ * OR \\\\ Shell32.dll,Control_RunDLL\\\\ * OR \\\\ javascript\\\\: OR .RegisterXLL)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": [\n "winlogbeat-*"\n ]\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "throttle_period": "15m",\n "email": {\n "profile": "standard",\n "from": "root@localhost",\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious Rundll32 Activity\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			```


			`### graylog`

			```
update DN md template, fix #153 2020-01-14 07:12:24 +00:00			`CommandLine.keyword:(\\\\rundll32.exe url.dll,OpenURL \\\\rundll32.exe url.dll,OpenURLA \\\\rundll32.exe url.dll,FileProtocolHandler \\\\rundll32.exe zipfldr.dll,RouteTheCall \\\\rundll32.exe Shell32.dll,Control_RunDLL \\\\rundll32.exe javascript\\: * url.dll,OpenURL * url.dll,OpenURLA * url.dll,FileProtocolHandler * zipfldr.dll,RouteTheCall * Shell32.dll,Control_RunDLL * javascript\\:* .RegisterXLL)`
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			```


			`### splunk`

			```
sysmon event id 22 (dns queries) added 2019-06-24 02:37:21 +00:00			(CommandLine="\\\\rundll32.exe url.dll,OpenURL " OR CommandLine="\\\\rundll32.exe url.dll,OpenURLA " OR CommandLine="\\\\rundll32.exe url.dll,FileProtocolHandler " OR CommandLine="\\\\rundll32.exe zipfldr.dll,RouteTheCall " OR CommandLine="\\\\rundll32.exe Shell32.dll,Control_RunDLL " OR CommandLine="\\\\rundll32.exe javascript:" OR CommandLine="* url.dll,OpenURL " OR CommandLine="* url.dll,OpenURLA " OR CommandLine="* url.dll,FileProtocolHandler " OR CommandLine="* zipfldr.dll,RouteTheCall " OR CommandLine="* Shell32.dll,Control_RunDLL " OR CommandLine="* javascript:" OR CommandLine=".RegisterXLL*")
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			```


			`### logpoint`

			```
#192 for markdown, added powershell to default targets 2020-05-15 01:15:48 +00:00			`CommandLine IN ["\\\\rundll32.exe url.dll,OpenURL ", "\\\\rundll32.exe url.dll,OpenURLA ", "\\\\rundll32.exe url.dll,FileProtocolHandler ", "\\\\rundll32.exe zipfldr.dll,RouteTheCall ", "\\\\rundll32.exe Shell32.dll,Control_RunDLL ", "\\\\rundll32.exe javascript:", "* url.dll,OpenURL ", "* url.dll,OpenURLA ", "* url.dll,FileProtocolHandler ", "* zipfldr.dll,RouteTheCall ", "* Shell32.dll,Control_RunDLL ", "* javascript:", ".RegisterXLL*"]`
get rid of dot workaround for markdown, missing analitics added 2019-05-01 21:43:17 +00:00			```


			`### grep`

			```
			grep -P '^(?:..\\rundll32\\.exe.* url\\.dll,.OpenURL .\|..\\rundll32\\.exe.* url\\.dll,.OpenURLA .\|..\\rundll32\\.exe.* url\\.dll,.FileProtocolHandler .\|..\\rundll32\\.exe.* zipfldr\\.dll,.RouteTheCall .\|..\\rundll32\\.exe.* Shell32\\.dll,.Control_RunDLL .\|..\\rundll32\\.exe javascript:.\|..* url\\.dll,.OpenURL .\|.. url\\.dll,.OpenURLA .\|.. url\\.dll,.FileProtocolHandler .\|.. zipfldr\\.dll,.RouteTheCall .\|.. Shell32\\.dll,.Control_RunDLL .\|.. javascript:.\|..\\.RegisterXLL.)'
			```