title: Rundll32 Without Parameters
author: Bartlomiej Czyz, Relativity
date: 2021/01/31
description: Detects rundll32 execution without parameters as observed when running
  Metasploit windows/smb/psexec exploit module
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: rundll32.exe
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectUserName
- CommandLine
- Image
- ParentImage
id: 5bb68627-3198-40ca-b458-49f973db8752
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
ruletype: SIGMA