[Rule Tuning] Unusual Child Processes of RunDLL32: False alert on legitimate RunDLL32 activity with Microsoft-signed DLL #4944
Description
Link to Rule
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
The detection rule "Unusual Child Processes of RunDLL32" is flagging legitimate RunDLL32 activity as suspicious. In this case, a Microsoft-signed DLL is involved. The following process chain triggers the alert:
Process 1636 -> 2732 -> 19272
Process ID: 1636
Execution time: Jul 28, 2025 8:55:21 AM
Command line: services.exe
Image file path: C:\Windows\System32\services.exe
Image file SHA1: [...]
Image file SHA256: [...]
Execution details: Token elevation: Default, Integrity level: System
Signer: Microsoft Windows Publisher
Issuer: Microsoft Windows Production PCA 2011
Process ID: 2732
Execution time: Jul 28, 2025 8:55:22 AM
Command line: svchost.exe -k netsvcs -p -s Schedule
Image file path: C:\Windows\System32\svchost.exe
Image file SHA1: [...]
Image file SHA256: [...]
Execution details: Token elevation: Default, Integrity level: System
Signer: Microsoft Windows
Issuer: Microsoft Windows Production PCA 2011
Process ID: 19272
Execution time: Jul 29, 2025 3:49:13 AM
Command line: "rundll32.exe" sysmain.dll,PfSvWsSwapAssessmentTask
Image file path: C:\Windows\System32\rundll32.exe
Image file SHA1: [...]
Image file SHA256: [...]
Execution details: Token elevation: Default, Integrity level: System
Signer: Microsoft Windows
Issuer: Microsoft Windows Production PCA 2011
Example Data
No response