title: Rundll32 Possible Cobalt Strike 
description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike.
author: keyboardcrunch
date: 02/12/2020
modified: 05/12/2020
mitre: 
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 011
operating_system: windows
query: ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In  ( "splwow64.exe" ) AND SrcProcParentName Not In  ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
false_positives:
   - Printer drivers
   - High number of outbound SMB connections
tags:
   - Cobalt Strike
references:
   - https://thedfirreport.com/2020/10/08/ryuks-return/