[BUG] False Positive in Analytic: Detect Rundll32 Application Control Bypass - setupapi #3605
Description
The analytic Detect Rundll32 Application Control Bypass - setupapi generates false positives due to overly broad matching of any rundll32.exe execution with setupapi.dll. Specifically, the current SPL does not limit detection to invocations of the LaunchINFSection function, as described in the analytic documentation.
For example, legitimate executions such as:
rundll32.exe setupapi.dll,InstallHinfSection
are incorrectly flagged by the detection logic, even though they do not use the LaunchINFSection function and are benign in many enterprise environments.
Expected behavior
The rule should only detect cases where rundll32.exe is used with setupapi.dll or iesetupapi.dll and the LaunchINFSection function is explicitly called. This would align the SPL with the analytic’s intended behavior and reduce false positives.
Screenshots
N/A
App Version:
ESCU: 4.6.0 (or latest available if not version-locked)
Splunk Security Essentials: N/A
Additional context
Current behavior in SPL:
Processes.process=setupapi
This condition captures all uses of setupapi.dll, regardless of the function invoked.
Suggested SPL Fix:
| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes
where process_rundll32
Processes.process IN ("setupapi.dll", "iesetupapi.dll")
AND Processes.process="LaunchINFSection"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product
| drop_dm_object_name(Processes)
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| detect_rundll32_application_control_bypass___setupapi_filter
Justification:
This refinement ensures the detection logic strictly targets only invocations using LaunchINFSection, consistent with the documented analytic behavior. It helps reduce noise and improve detection fidelity.