Tag
low
advisory
Command Shell Activity Started via RunDLL32
2 rules 4 TTPsThis rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.
M365 Defender +2
execution
command-shell
rundll32
2r
4t
high
advisory
Rundll32 Execution with DLL Stored in Alternate Data Stream (ADS)
2 rules 1 TTPAdversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.
defense-evasion
ads
rundll32
windows
2r
1t
high
advisory
Unusual Child Processes of RunDLL32 Execution Without Arguments
2 rules 1 TTPThe execution of `rundll32.exe` without arguments, followed by a child process execution, indicates potential abuse of Rundll32 for proxy execution or payload handoff, often employed for defense evasion on Windows systems.
Elastic Defend
defense-evasion
proxy-execution
rundll32
2r
1t