[BUG] process_rundll32 macro looks for rundll32.exe OR RUNDLL32.EXE.

[vignesh-splk]

If you have a Splunk Support contract, creating a support case for your issue may result in faster resolution.

Support Case - 3848505

Describe the bug

Anas Faruqui identified a bug in the process_rundll32 macro used in an ESCU detection. The current macro definition is (Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE). The macro looks for rundll32.exe OR RUNDLL32.EXE. However, CrowdStrike EDR logs sometimes record rundll32 without the .exe extension. These events are not being detected by the current macro.

Expected behavior

The macro should look for rundll32* OR RUNDLL32* to detect the rundll.exe and rundll from the logs.

For example,
CommandLine: "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\PcaSvc.dll,PcaPatchSdbTask
CommandLine: RUNDLL32 C:\WINDOWS\system32\spool\DRIVERS\x64\3\PDFDESK.DLL,SetPrint 2754

Screenshots

App Version:

• ESCU: [5.15.2]
• Splunk Security Essentials: [N/A]

Additional context

To fix this modifying the macro to use wildcards, such as rundll32* and RUNDLL32*, to ensure detection of all relevant rundll32 process executions, regardless of case or the presence of the .exe extension.

Without Wildcard - Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE
With Wildcard - Processes.process_name=rundll32* OR Processes.original_file_name=RUNDLL32*

RUNDLL32 is considered as an alias for rundll32.exe

https://research.splunk.com/endpoint/f28e787e-69ca-480e-9f98-ab970e6d4bcc/?query=office

[nasbench]

Hey @vigneshs-splunk I think this is an issue with the TA extracting process_name from the commandline. Can you share the command line in this case?

To me this looks like a case where rundll32 was run from cmd like rundll32.....

So please share the full commandline.

[nasbench]

Also check out https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/issues/890 and CIM-1333 for better context

[patel-bhavin]

also @vigneshs-splunk Can you perhaps share the underlying _raw event in both cases where process_name is parsed as with the exe and without it ? You can DM it if you cant share publicly!

[anasfaruqui1]

hello>

this is not parsing/ta issues, we tested all of this, this 100% issues with your query, that needs to be updated

the raw event is this ( have masked some fields)
{"ProcessCreateFlags":"4","IntegrityLevel":"8192","ParentProcessId":"abcd32777185","SourceProcessId":"abcd032777185","UserSid":"S-1-5-21-abcd9841-1677128483-725345543-42086","ProcessEndTime":"","ParentBaseFileName":"WINWORD.EXE","EventOrigin":"1","id":"abcd7b5d-da31-4754-a168-3827c1d2f9d8","SessionId":"1","Tags":"25, 27, 41, 268, 874, 924, 1225, abcd5360464024, abcd5360464025, abcd5360464026, abcd5360464258, 10445360464273, 10445360464274, 10995116279184, 12094627905582, 12094627906234, 211381110440234, 219902325555779","LocalAddressIP4":"172.18.101.abc","event_simpleName":"ProcessRollup2","RawProcessId":"19840","AuthenticationId":"abcd5565","CallStackModuleNamesVersion":"8","ParentAuthenticationId":"49645565","TargetProcessId":"2568729269667","TreeId":"171798826015","ImageFileName":"\Device\HarddiskVolume3\Windows\System32\rundll32.exe","CallStackModuleNames":"0\u003c-1\u003e\Device\HarddiskVolume3\Windows\System32\ntdll.dll+0x9ee04:0x1f8000:0xd1cd3808|\Device\HarddiskVolume3\Windows\System32\KernelBase.dll+0x43845:0x2f7000:0x817d6404|\Device\HarddiskVolume3\Program Files\AppSense\Application Manager\Agent\AMAppHook.dll+0x413d9:0x14e000:0xbb72f59c|2+0x3f295|1+0x408c6|\Device\HarddiskVolume3\Windows\System32\kernel32.dll+0x1cef4:0xc2000:0xeee0fc1a|\Device\HarddiskVolume3\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll+0x96d30:0x16c000:0x6896054f|6+0x96844|6+0x97867|6+0x9151a|6+0x91bb7|\Device\HarddiskVolume3\Windows\System32\spool\drivers\x64\3\pdf4u64.dll+0x1d690:0x8f2be:0x4c37a0ae|11+0x1e9d7|11+0x1507a|11+0x188f8|11+0x13509|11+0xf15e|11+0xf606|11+0x63a2|\Device\HarddiskVolume3\Windows\System32\gdi32full.dll+0x35472:0x119000:0x4cc59dc3|\Device\HarddiskVolume3\Windows\System32\user32.dll+0x2a18e:0x19d000:0xb96d98fd|0+0xa1374|[KERNEL]+0xfffff8077483d935::|[KERNEL]+0xffffa181eac2ed29::|[KERNEL]+0xffffa181eaba3bd2::|[KERNEL]+0xffffa181eac3fcab::|[KERNEL]+0xffffa181eac4aed6::|[KERNEL]+0xffffa181ead5c8f1::|[KERNEL]+0xffffa181eb799516::|[KERNEL]+0xfffff80774611505::|\Device\HarddiskVolume3\Windows\System32\win32u.dll+0x3fc4:0x22000:0xe02af144|19+0x663a6|\Device\HarddiskVolume3\Windows\System32\gdi32.dll+0xbc29:0x2b000:0x8fdf2fa3|32+0x2cb6|\Device\HarddiskVolume3\Program Files\Microsoft Office\root\Office16\WWLIB.DLL+0x63adb1:0x33d4000:0x68960521|34+0x24e887|34+0xa4e41|34+0xc07d6d|34+0xc071d2|34+0x1b0d7c7|34+0xcc1168|5+0x17374|0+0x4cc91","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1757368307.339","ComputerName":"EUVSL201111","ProcessParameterFlags":"24577","aid":"8a27d75f5fe34127807cf6c1c8a02667","cid":"d5fedc89288e4d409417fb3d15a9be8b","WindowTitle":"C:\WINDOWS\SYSTEM32\RUNDLL32.exe","aip":"91.216.116.254","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Win","TokenType":"1","AuthenticodeHashData":"d23d1c54fad18e66422bb7204b0ef4226b81196a","ImageSubsystem":"2","EffectiveTransmissionClass":"3","ShowWindowFlags":"0","timestamp":"1757368308209","ConfigStateHash":"2724298073","UserName":"AMahmood","MD5HashData":"abcd032aebd51583832ef3e96f5c81da","SHA256HashData":"abcd92ca1957f8f357cc201f0015072c612f5770ad7de85f87f254253c754dd7","ProcessSxsFlags":"64","ConfigBuild":"1007.3.0019811.15","WindowFlags":"1","CommandLine":"RUNDLL32 C:\WINDOWS\system32\spool\DRIVERS\x64\3\PDFDESK.DLL,SetPrint 2754","SourceThreadId":"57719591708329","CreateProcessType":"1","Attacks":[{"Tactic":"Defense Evasion","Technique":"Process Injection"}],"SignInfoFlags":"8683538"}
Show syntax highlighted

[nasbench]

Hi, it seems that you did not really read what i linked. This is a TA issue and a CIM confusion that introduces an edge case.

The eval from the TA for process_name is as follow

EVAL-process_name = case(
        event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2", "ProcessBlocked"), mvindex(split(if(like(CommandLine, "\"%\"%"), mvindex(split(CommandLine, "\""), 1), mvindex(split(CommandLine, " "), 0)), if(event_platform="Win", "\\", "/")), -1),

        event_simpleName IN ("WmiCreateProcess", "DriverLoad", "ScreenshotTakenEtw", "ImageHash", "PrivilegedProcessHandleFromUnsignedModule", "KernelModeLoadImage"), mvindex(split(ImageFileName, if(event_platform="Win", "\\", "/")), -1), \
        
        event_simpleName = "CommandHistory", mvindex(split(CommandHistory, " "), 0))

If the event_simpleName is ProcessRollup2 which is the case in your event, then process_name is parsed from CommandLine and the first string is taken. In this case you get rundll32 without the .exe part.

A better way would be to parse the ImageFileName as it contains the actual process that performed this.

Please give the tickets a read to learn more.

[anasfaruqui1]

Case #3848505 Datamodel Endpoint not populating processes.commandline for CrowdStrike FDR logs [ ref:_00D409oyL._500KW1y0lDk:ref ]

[anasfaruqui1]

i cannot read these two links

Also check out https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/issues/890 and CIM-1333 for better context

[nasbench]

i cannot read these two links

Also check out splunk/splunk-add-on-for-crowdstrike-fdr#890 and CIM-1333 for better context

Oh hey @anasfaruqui1 just learned that you cannot view these tickets, my bad.

[nasbench]

Just to keep you updated @anasfaruqui1 and co.
I've opened a new ticket internally to track this a couple of weeks ago. I will keep you posted if anything comes up.
It should be looked at and a potential fix should be introduced.

[anasfaruqui1]

Acknowledging your updates