sequence by host.id, process.entity_id with maxspan=1m
[process where host.os.type == "windows" and event.type == "start" and process.name : "rundll32.exe" and
(
process.args_count == 1 and
/* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */
not process.command_line regex~ """\".*\.exe[^\"].*"""
)]
[network where host.os.type == "windows" and process.name : "rundll32.exe" and
not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
"192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
"100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
"FE80::/10", "FF00::/8")]
Install detection rules in Elastic Security
Detect Unusual Network Connection via RunDLL32 in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).