Query Details
Rundllwithoutcommandline
Query
Tags: Query: DeviceProcessEvents | where FileName == "rundll32.exe" or ProcessVersionInfoOriginalFileName == @"RUNDLL32.EXE"| where ProcessCommandLine matches regex "^$" References: Notes:
Explanation
Sure! Here's a simple summary of the provided KQL (Kusto Query Language) query:
-
Data Source: The query is looking at
DeviceProcessEvents, which is a table containing events related to processes on devices. -
File Name Filter: It filters the events to include only those where the
FileNameis "rundll32.exe" or theProcessVersionInfoOriginalFileNameis "RUNDLL32.EXE". -
Command Line Filter: It further filters these events to include only those where the
ProcessCommandLineis empty (matches the regex pattern "^$", which represents an empty string).
In summary, this query retrieves events where the process is "rundll32.exe" and the command line used to start the process is empty.
Details
Ali Hussein
Released: October 3, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
==ormatches regex