Rundll Suspicious
Query
Tags:
Query:
DeviceProcessEvents
| where InitiatingProcessFileName contains "rundll" or InitiatingProcessVersionInfoInternalFileName == @"rundll"
| where FileName has_any ("cmd.exe","powershell", "powershell_ise") and InitiatingProcessCommandLine !contains @"zzzzInvokeManagedCustomActionOutOfProc"
References:
Notes:Explanation
Sure, here's a simple summary of the query:
This query is searching through device process events to find instances where a process related to "rundll" has started another process. Specifically, it looks for cases where:
- The initiating process (the one that started another process) has a file name that contains "rundll" or its internal file name is exactly "rundll".
- The process that was started is either "cmd.exe", "powershell", or "powershell_ise".
- The command line used to start the process does not contain the string "zzzzInvokeManagedCustomActionOutOfProc".
In essence, it's filtering for suspicious activity where "rundll" is used to start command-line tools, but excluding a specific known command line pattern.
Details

Ali Hussein
Released: October 3, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
DeviceProcessEvents|wherecontainsor==@has_anyand!contains