Rundll32 - veramine/Detections GitHub Wiki
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations. You can read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1085.
Veramine's detection engine highlights any unknown, new, or suspicious rundll32.exe image loads. Here we see an example of rundll32.exe loading an unsigned DLL that had never previously been loaded by rundll32:
These kind of generic detections can be treated with additional weight when multiple different heuristics indicate suspiciousness. The Veramine platform also correlates each detection with all the detail necessary to quickly triage. The process detail hyperlink in this detection can be clicked to see the chain of processes involved in this process tree:
We can see here that the rundll32.exe create a child process, an innocuous calc.exe in this case. Real-world post-exploitation attacker activity may involve more suspicious-looking processes.