Process monitoring is another useful data source for observing malicious execution of Rundll32. Capturing command-line activity will capture the both name of the DLL that was launched by rundll32.exe and any additional command-line arguments. Eight of our top 10 detection analytics for Rundll32 include a command-line component. Command monitoringĬommand-line parameters are some of the most reliable telemetry for detecting malicious use of Rundll32, since adversaries often need to pass command-line arguments for Rundll32 to execute.
RUNDLL32 EXE WINDOWS 10 FREE
These telemetry sources are widely available via commercial EDR products, native logging, and free or open source tooling. Network connection and module-related telemetry can provide additional enrichment for detections as well.
RUNDLL32 EXE WINDOWS 10 WINDOWS
Like much of Red Canary’s detection logic for native Windows binaries, analytics for catching adversaries who abuse Rundll32 lean heavily on process, process access, and command monitoring. Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components.
RUNDLL32 EXE WINDOWS 10 CODE
We also occasionally see Cobalt Strike and a wide variety of other tools leverage Rundll32 to load code from DLLs within world-writable directories (e.g., the Windows temp directory). We reliably observe Cobalt Strike leveraging Rundll32 to call the StartW export function and load DLLs from the command line. More broadly, adversaries particularly like to leverage export functions capable of connecting to network resources and bypassing proxies to evade security controls.įor its part, the command and control (C2) tool Cobalt Strike often delivers beacon payloads in the form of DLLs. We’ve seen adversaries use Rundll32 to load comsvcs.dll, call the MiniDump function, and dump the memory of certain processes-oftentimes LSASS.
We’ve observed a variety of threats leveraging the DllRegisterServer function in this way, including Grief ransomware, IcedID, Qbot, TrickBot, and Ursnif, among others.Īdversaries also abuse legitimate DLLs and their export functions. renaming or relocating legitimate DLLs and using them for malicious purposesĭllRegisterServer is a DLL export function intended for use with regsvr32.exe, but adversaries commonly call it with Rundll32 as a means of bypassing application controls.executing malicious, adversary-supplied DLLs.abusing legitimate DLLs or export functions to perform malicious actions.using legitimate functions to bypass application control solutions.How do adversaries use Rundll32?Īdversaries abuse Rundll32 in many ways, but we commonly observe the following generic patterns of behavior: Under certain conditions, particularly if you lack controls for blocking DLL loads, the execution of malicious code through Rundll32 can bypass application control solutions.
Executing malicious code as a DLL is relatively inconspicuous compared to the more common option of executing malicious code as an executable. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations.įrom a practical standpoint, Rundll32 enables the execution of dynamic link libraries (DLL). Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things.
0 kommentar(er)
