Ever found yourself looking at a normal program that isn’t behaving quite the way it should be? Do you have trouble pinpointing baselines and maintaining effective detections on default Microsoft binaries? These LOLBins are no laughing matter. In this break down of Rachel Schwalk’s talk at BSides KC 2023, we talk about abnormal activity leveraging this commonly seen tactic.
LOLBin taxonomy
Living-off-the-land binaries, or LOLBins, are binaries that are already native in the operating system or can be downloaded directly from Microsoft. Many of these default binaries can be used for malicious purposes—in fact, 35 percent of all malicious and suspicious Red Canary detections in 2022 incorporated LOLBins. Rachel confirms that this doesn’t include testing or non-malicious behavior; these are all threats creeping out of the woods, so to speak. Commonly abused binaries include:
It is difficult for defenders to easily differentiate malicious and normal LOLBin behavior. Tools such as EchoTrail provide information on what is normal for these binaries. The nature of these binaries can make it difficult to keep track of normality, though.
“Usually PowerShell and other scripting engines get a lot of love,” Rachel notes, speaking on usual detection methods, “while rundll32, regsvr32, msbuild, msiexec, and mshta are the underdogs when comparing to PowerShell.”
Curious behavior
In order to detect LOLBins, one must know not only the definition of a misbehaving binary, but also the behavior of each individual binary. Researching the purpose of the binary offers a lot of helpful information about whether it should be using network connections, what its usual path should be, and any typical command-line parameters that it uses in execution.
Normal behavior isn’t just for understanding common activity. “After you baseline normal you’re going to look for how this binary can be abused,” notes Rachel, “then you’ll look at what malware families are doing to abuse that binary.”
As an example, Rachel presents a few examples of behavior that aren’t associated with a specific binary, like:
- Downloading from a remote resource
- Executing with an unexpected command line
- Proxying execution through another process
- Executing from an unexpected path
- Misuse of a legitimate function
Exploring rundll32
The rundll32 binary enables the execution of dynamic link libraries, or DLLs. It typically executes from the C:\Windows\System32 or C:\Windows\SysWOW64 folders, with network connections to port 443 and port 80 classified as normal behavior. It executes with a command line, using the format of rundll32.exe {DLLname, DLLfunction}, which can provide a next point of investigation.
Rundll32 also has common parents in processes like svchost, explorer, spoolsv (the printer spooler service), or even rundll32, making it both a parent and child process to itself. Other child processes include winsat and dfsvc, the Windows system assessment tool and the distributed file system service, respectively.
When rundll32 is abused, it’s often by abusing legitimate DLLs or export functions to perform malicious actions; comsvcs.dll can be used to dump the process memory of LSASS by calling the MiniDump function through rundll32, for instance. It can also be abused by executing malicious, adversary-supplied DLLs, as seen with threats like Emotet. Another example of abuse is the use of legitimate functions to bypass application control solutions, like using DLLRegisterServer (which is typically used by regsvr32) to register and execute a DLL that can then be used for malicious purposes.
Evidence of this sort of abnormal behavior represents itself in logging through any aberrations from the more regular behaviors listed above. Unusual process executions, like JavaScript and PowerShell with rundll32.exe as a parent process, can indicate a malicious code execution. Initial downloads and executions from remote sources are also suspect depending on sources: for example, DLLs executing in an Alternate Data Stream (ADS) or rundll32 executing without command-line parameters.
“Rundll32 should always be executing with the DLL name and function, so when it doesn’t that could be a sign that something’s up,” notes Rachel.
Evil things
Many famous threats use rundll32 as their agent of chaos. Among them are many that were featured in the 2023 Threat Detection Report, as they were the most commonly seen in Red Canary customer environments.
Qbot
Though its infrastructure was taken down by law enforcement in summer 2023, Qbot is a long-time heavy hitter with a lot of interesting techniques, being primarily used by financially motivated threat actors since 2007. The activity that indicated some curious goings-on was as follows:
rundll32.exe C:\Users\Public\Documents\file.dll,RS32
rundll32 C:\programdata\putty.jpg,Wind
“There are a couple of examples of what DLL execution looked like for Qbot, where it was calling from that public documents folder…a random DLL calling the RS32 function. That use of a strange folder and a DLL is very strange behavior,” Rachel points out, indicating the first example. “Same with the next one: in the ProgramData folder, it’s calling a random JPG that’s not a JPG, and it has a randomly named function name of wind.”
SocGholish
This devious threat actor leverages drive-by downloads, disguising its malware as software updates to trick users into interacting with its JavaScript payloads. One example of rundll32 use within those payloads is:
rundll32.exe c:\programdata\nmiwe.dll,DllRegisterServer“[The victim] gets this nice little update.js JavaScript file that then executes rundll32… also using the ProgramData folder and using that function mentioned earlier that is used by regsvr32 legitimately.”
Gamarue
A prolific botnet-budding worm, this threat is primarily spread through infected USB drives. Gamarue is sometimes used to spread other malware and steal information. This curious-looking rundll32 execution would make any analyst look twice:
"C:\Windows\system32\rundll32.exe" \_----______--_-_-_---__---_----_-__---___-_____---_-__._----______--_-_-_---__---_----_-__---___-_____---_-__,wmSMWWOemsikSACk
“I like this one because it kinda looks like morse code with the dashes and underscores. But that’s not redacted, that’s just the DLL naming scheme there,” Rachel says. “…so looking at that you can tell that something’s definitely up. That’s not normal.”
IcedID
Another banking trojan that’s been around the block, IcedID is modular and misbehaving in all sorts of curious ways. In this example, it uses rundll32 to execute a custom DLL buried in the Roaming folder, hiding the function in a way best described as “tricky:”
rundll32.exe "C:\Users\test\AppData\Roaming\test\teabse\uvbipw4.dll",#1 --ulejfi="jhghjdfghdfgh"“What I like about this one is that it calls an ordinal value function. So that hashtag, pound sign, whatever you want to call it is the ordinal value for saying the first function in that DLL. That’s a way that sometimes adversaries will use to obfuscate what function they’re actually calling.”
Seeking out the strange
This is where Rachel’s talk takes a turn, from examples of evil to events for exposure. These detection opportunities provide some useful ideas of fields to look out for when building your detectors.
Command lines provide a great opportunity. Whether it be an unusual CLI with a known abuse mechanism present or a lack of CLI entirely, the command line provides insight into what is being called and, by extension, for what purpose. A URL in the command line can also be a great indicator of evil. These opportunities look like:
rundll32with no.DLLin the command linerundll32with no CLI at allrundll32with http in CLIrundll32with a rare function (like an ordinal value#orDllRegisterServer)
Another identified that Rachel mentions is lineage: “Lineage can be a good one. Specifically if you see something spawning reconnaissance commands, that’s usually only going to be done by the command prompt if reconnaissance is necessary in your environment.” Opportunities related to lineage include:
process == rundll32.exe && childproc == javascriptparent_process == MS Office binary
Rachel notes that unusual execution locations of rundll32 are an excellent opportunity, especially now that we know its most common locations. Anything outside of the system32 or syswow64 folders should be suspect.
process == rundll32.exe && process_path != windows\system32 || windows\syswow64Similarly, network connections, changes to files, and loading of unusual or unknown modules are all flags of fishy behavior.
Remember when using these detection opportunities that this logic will not be one-size-fits-all; no two environments are the same. Take note of things that can be tuned out in your environment.
More fun with LOLBins
Rachel has a veritable bounty of foraged threats and their associated LOLBins, all organized and ready for dissection. Among them is Raspberry Robin, the Red Canary-named and tracked activity cluster known for worming its way in on a USB drive.
Becoming the threat
We’ve learned a lot about LOLBins and their usual activities, and even built a few detections to handle them. How do we know that these detections are working?
This is where Atomic Red Team comes in. Atomic Red Team is a library of tests that every security team can execute to simulate adversarial activity and validate their defenses. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks. As these tests are mapped to the MITRE ATT&CK framework, they are highly flexible and can be matched to just about any fishy activity (like the examples shown above!).
Happy hunting!