T1218.011-Rundll32

Adversaries may abuse rundll32.exe, a built-in Windows utility, to carry out their malicious objectives. This utility signed by Microsoft enables adversaries to load dynamic link libraries (DLLs) into the system. It's present in both 32-bit and 64-bit versions of Windows. Attackers like using rundll32.exe because it helps them execute different functions hidden within DLLs, allowing them to execute their malicious code without getting detected. Rundll32 is present in one of the following file locations:

C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe        

What are DLLs, and What does Rundll32 do with them?

Dynamic Link Libraries (DLLs) are like special toolboxes that contain useful bits of code for programs to use. Instead of each program having its own copy of these tools, they all share the same toolbox stored in the DLL. This makes things more organized and saves space. When a program needs to use one of these tools, it can simply ask the DLL for help, and the DLL provides the necessary code.

Rundll32 acts like a middleman between programs and the tools stored in DLLs. It helps programs access and use those tools without directly talking to the DLLs themselves.

Malicious Objectives for Using Rundll32

Rundll32 is a built-in part of Windows, essential for proper system functioning; thus, disabling it could cause issues. This is why malicious actors favor using Rundll32—it seamlessly integrates with normal operations, making it challenging to detect suspicious activity. They often exploit Rundll32 to steal passwords or bypass security measures.

Primarily, Rundll32 is used to execute dynamic link libraries (DLLs). Unlike running a blatantly suspicious program, using a DLL can be covert, resembling a normal system process. Particularly if there are weak controls on the endpoint to block suspicious DLLs, malicious activities can be executed via Rundll32.

Despite being a legitimate utility, Rundll32 is a preferred utility for attackers. State-supported APT groups prefer it due to its usage in executing malicious code during attacks, enabling them to evade security tools that could prevent their harmful objectives.

Mechanisms of Adversaries Abusing Rundll32

Adversaries have various ways of misusing Rundll32, but there are common patterns we often see:

1. Using legitimate functions to get around application control solutions.
2. Misusing legitimate DLLs or their functions to do harmful actions.
3. Running malicious DLLs provided by adversaries.
4. Renaming or moving legitimate DLLs and using them for malicious purposes.

Adversaries also take advantage of legitimate DLLs and their functions. For instance, we've seen them use Rundll32 to load comsvcs.dll and call the minidump function to copy the memory of certain processes, often targeting LSASS. They also like to use export functions that can connect to network resources and bypass proxies, helping them evade security measures.

Similarly, adversaries often inject rundll32.exe into lsass.exe to access LSASS's memory contents.

We frequently notice adversaries using Rundll32 with unusual command-line settings, unexpected file locations, uncommon filenames that don't use DLL or PE file extensions for execution, or with hidden export functions. For instance, DllRegisterServer is meant for use with regsvr32.exe, but adversaries often use Rundll32 to call it to bypass application controls. We've seen various threats using the DllRegisterServer function in this manner.

Some typical examples include the following commands:

"C:\Windows\system32\cmd.exe" /c start rundll32 \cdfabdefacdeabcdfabdefacdeabcdfabdefacdfbf.cdfabdefacdeabcdfabdefacdeabcdfabdefacdfbf,JskFxphZumezrjnI

"C:\WINDOWS\system32\rundll32.exe" "C:\ProgramData\45f51194.dat",DllRegisterServer        

Finally, we've noticed adversaries hiding harmful content within seemingly ordinary DLL export functions by using alternate data streams. Following is an example to explain the statement:

"rundll32.exe" C:\Users\[redacted]:temp.dll,Start        

Actions That Need to be Taken

Application control solutions like Windows Defender Application Control, VMware App Control, Airlock, and others offer features that restrict which DLLs can be loaded and run in the computer's memory.

Visibility

To effectively detect and combat this, having the necessary telemetry is essential. Fortunately, numerous data sources provide visibility into this technique, with many of them accessible through EDR and other widely available security tools.

Detection logics for catching adversaries who abuse Rundll32 lean heavily on process, process access, and command monitoring. Network connection and module-related telemetry can provide additional enrichment for detections as well. These telemetry sources are widely available via EDR, native logging, and free or open source tooling.

Command Monitoring

Monitoring the commands used in the command line is one of the best ways to catch when Rundll32 is being misused. This is because adversaries usually have to include command-line details for Rundll32 to work. It was observed that eight out of ten adversaries abuse Rundll32 by command line. By keeping an eye on command-line actions, you can see both the name of the DLL executed by rundll32.exe and any extra command-line details.

Process Monitoring

Monitoring processes is another effective approach to detecting when Rundll32 is being used for malicious objectives. Almost all of the methods for detecting Rundll32-related issues involve observing whether a process that seems to be Rundll32 is executing, along with another process (either its parent or child), a related command line, or some other source of data. Because adversaries can rename the file, it's more reliable to identify a process based on its metadata rather than its file name.

Process Access Monitoring

It's important to keep an eye on cross-process events too, especially because we often see a lot of credential theft activity involving Rundll32 accessing LSASS.

Network Monitoring

Although not as frequent or dependable as processes or command lines, network connections sometimes contribute to behavioral detectors for Rundll32. When combined with specific patterns of process lineage or command-line parameters, any network connection could be cause for concern. Alternatively, network connections might only raise suspicions when they're established with unexpected or newly registered domains.

Detection Technology

Windows Security Event ID 4688: Process Creation

Enhancing detection, enabling command-line argument logging in Windows Security Event ID 4688 serves as a native telemetry source for detecting abuse of Rundll32 for malicious objectives. This event log captures crucial information about process creation, providing insights into potentially malicious activity. Developing a thorough understanding of baseline process relationships within your environment is essential to effectively discriminating genuine threats from false positives.

Endpoint Detection and Response (EDR) Tools

EDR tool serves as a powerful resource for identifying abuse of Rundll32 for malicious objectives. This tool offers extensive visibility into various aspects of endpoint activity, including process starts, command-lines, and network connections. The capabilities of EDR tools provides organizations with the necessary monitoring to detect and respond to malicious activity effectively.

Possible Use Cases

Applications Use the DllRegisterServer Function to Bypass

DLLs meant to be loaded by Regsvr32 should have a DllRegisterServer export function. Adversaries may use the same DLLs with rundll32.exe. Executing the DllRegisterServer export function with rundll32.exe is a tactic specific to adversaries and is rarely found in legitimate situations. Mentioned below is an example of the statement:

process == rundll32.exe && 
command_includes ('DllRegisterServer') && 
event_id == 4688        

There are numerous built-in DLLs that contain a DllRegisterServer function. Here's an example of executing a DllRegisterFunction with rundll32.exe:

rundll32.exe C:\Windows\System32\jscript.dll,DllRegisterServer        

Rundll32 with Suspicious Process Lineage

It's crucial to understand what's typical in your system so you can recognize what's not. When it comes to Rundll32, keep an eye out for instances of rundll32.exe running from unusual parent processes

parent_process == ('winword.exe' || 'excel.exe' || 'msaccess.exe' || 'lsass.exe' || 'taskeng.exe' || 'winlogon.exe' || 'schtask.exe' || 'regsvr32.exe' || 'wmiprvse.exe' || 'wsmprovhost.exe') && 
process == rundll32.exe && 
event_id == 4688        

Another method to replicate this behavior is by executing rundll32.exe through WMI. The example below illustrates launching rundll32.exe as a child process of wmiprvse.exe:

wmic process call create "rundll32.exe C:\Windows\System32\jscript.dll"        

Suspicious Export Functionalities

Consider monitoring instances where rundll32.exe is utilized to run Windows native DLLs containing export functions commonly exploited by adversaries to execute malicious code and evade security technologies. The following example focuses on detecting adversaries who utilize the MiniDump export function of comsvcs.dll to extract LSASS memory, but this logic could be adapted to detect other malicious activity as well.

process == rundll32.exe || modload == comsvcs.dll && 
command_includes ('MiniDump' || '#24')        

Rundll Injection into LSASS

The following example assists in detecting instances where Rundll32 opens a cross process handle into LSASS to collect credentials:

process_name == rundll32.exe && 
cross_process == lsass.exe        

Below is an example that demonstrates how to use the MiniDump export to copy process memory. Simply substitute the process ID (7084 in the example) with the desired process ID.

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 7084 memory.dmp full        

Rundll32 Without a Command Line

Rundll32 usually requires specific command-line arguments and typically generates a child process when it executes. As a result, it's important to be cautious of instances where processes seem to be rundll32.exe but lack any command-line arguments. This is especially concerning if these processes spawn child processes or establish network connections:

process == rundll32.exe && 
command_includes (“”)* && 
has_network_connection || has_child_process

*Note: “” indicates a blank command line.        

Real-life Example

Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022.

Today's adversaries have shifted their strategy from simple techniques to remaining undetected for as long as possible. They extensively research new or overlooked methods that allow their malware to blend in with normal processes. These tactics, known as "defense evasion techniques," enable malware to bypass detection by security tools.

Interestingly, many of these evasion techniques leverage legitimate files and components provided by Microsoft. Referred to as "living off the land," these strategies repurpose features originally intended for benign purposes for malicious ends.

To evade detection by security tools, attackers often employ tactics like inserting legitimate processes into the chain of execution. By doing so, they disrupt the process tree, making it more difficult for security tools to flag suspicious behavior. This method underscores the need for constant vigilance and advanced detection techniques to thwart increasingly sophisticated attacks.

Rundll32.exe is a powerful utility in the cyber realm. It was designed by Microsoft to load and run 32-bit dynamic-link libraries; its capabilities have expanded significantly in the cybersecurity community. By utilizing DLLs like shell32.dll, Rundll32.exe can serve as a proxy for executing various tasks.

1) Rundll32.exe executes JavaScript code.

In this situation, the attacker attempted to utilize Rundll32.exe to act as a proxy for executing JavaScript code.

This detection method is robust because it doesn't assess the JavaScript code itself to verify its legitimacy, but rather scrutinizes the behavior of the process. As previously mentioned, according to Microsoft, "Rundll32 loads and runs 32-bit dynamic-link libraries," so executing JavaScript should not be considered legitimate.

2) Rundll32.exe proxies shell commands.

In this situation, the attacker attempted to exploit Rundll32.exe to act as a proxy for running shell commands using CMD.

It's common for Rundll32.exe to be used with different arguments in conjunction with shelldll32.dll.

Once more, this detection method identifies the behavior of the process as malicious without analyzing the specific shell command.

Feel free to share more insights on this technique! The comment section is open for all security experts to contribute valuable information to our community.

In this article, valuable information was referenced from the MITRE ATT&CK Framework, cybereason, LOLBas and cynet.