Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies when rundll32 or cmd.exe is utilized to launch a malicious DLL or executable from explorer.exe. Indicative of a cmd window or LNK file executing a program or malware due to a user clicking on a file.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Cyborg Security HUNTER |
| ID | 3bc6e8ef-9e08-4626-89e9-fda87866cc82 |
| Tactics | Execution |
| Techniques | T1204.002 |
| Required Connectors | SecurityEvent |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
SecurityEvent |
CommandLine has "cmd.exe"CommandLine has_any ",.dll"CommandLine has_any "explorer"CommandLine matchesregex "\\/[Cc] +[Ss][Tt][Aa][Rr][Tt].*\\.exe"ParentProcessName has "explorer.exe"Process has_any "wscript.exe" |
✓ | ✓ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊