Regsvr32 Rundll32 with Anomalous Parent Process

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This analytical rule looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. Blog: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Defender XDR
ID	2624fc55-0998-4897-bb48-1c6422befce4
Severity	High
Status	Available
Kind	Scheduled
Tactics	DefenseEvasion
Techniques	T1218.010, T1218.011
Required Connectors	MicrosoftThreatProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
DeviceNetworkEvents	✓	✗	?
DeviceProcessEvents	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft Defender XDR