KQL Search

Query Details

HomeAI ToolsDevice Query

Rundll Suspicious

Query

Tags:

Query:
  DeviceProcessEvents
    | where InitiatingProcessFileName contains "rundll"   or InitiatingProcessVersionInfoInternalFileName == @"rundll"
    | where FileName  has_any ("cmd.exe","powershell", "powershell_ise")  and InitiatingProcessCommandLine !contains @"zzzzInvokeManagedCustomActionOutOfProc"
References:


Notes:

Explanation

Sure, here's a simple summary of the query:

This query is searching through device process events to find instances where a process related to "rundll" has started another process. Specifically, it looks for cases where:

  1. The initiating process (the one that started another process) has a file name that contains "rundll" or its internal file name is exactly "rundll".
  2. The process that was started is either "cmd.exe", "powershell", or "powershell_ise".
  3. The command line used to start the process does not contain the string "zzzzInvokeManagedCustomActionOutOfProc".

In essence, it's filtering for suspicious activity where "rundll" is used to start command-line tools, but excluding a specific known command line pattern.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 3, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

DeviceProcessEvents|wherecontainsor==@has_anyand!contains

Actions