Rundll32.exe running with no command-line arguments

Cortex XDR Analytics Alert Reference by data source

Last date published: 2024-04-15
Order: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	System Binary Proxy Execution: Rundll32 (T1218.011)
Severity	Medium

Description

Rundll32.exe is meant to run with parameters, so the absence of them is extremely suspicious; this behavior is used in the default configuration of Cobalt Strike.

Attacker's Goals

Run as a signed Microsoft executables to avoid detection.
Rundll32 is the default process used by Cobalt Strike for running post-exploitation tools.

Investigative actions

Check for any injection event to the Rundll32 process.
Check the causality of execution for any injections.