Why do adversaries use Rundll32?
Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations. More often than not, we observe adversaries leveraging Rundll32 as a means of credential theft and execution bypass.
From a practical standpoint, Rundll32 enables the execution of dynamic link libraries (DLL). Executing malicious code as a DLL is relatively inconspicuous compared to the more common option of executing malicious code as an executable. Under certain conditions, particularly if you lack controls for blocking DLL loads, the execution of malicious code through Rundll32 can bypass application control solutions.
How do adversaries use Rundll32?
Adversaries abuse Rundll32 in many ways, but we commonly observe the following generic patterns of behavior:
- using legitimate functions to bypass application control solutions
- abusing legitimate DLLs or export functions to perform malicious actions
- executing malicious, adversary-supplied DLLs
- renaming or relocating legitimate DLLs and using them for malicious purposes
Adversaries also abuse legitimate DLLs and their export functions. We’ve seen adversaries use Rundll32 to load
comsvcs.dll, call the
minidump function, and dump the memory of certain processes—oftentimes LSASS. More broadly, adversaries particularly like to leverage export functions capable of connecting to network resources and bypassing proxies to evade security controls.
minidump, we commonly see adversaries injecting
lsass.exe to gain access to the memory contents of LSASS.
We commonly observe adversaries executing Rundll32 with unusual command-line parameters, from unexpected file paths, with uncommon filenames that do not use DLL or PE file extensions for execution, or with obfuscated export functions. For example,
DllRegisterServer is a DLL export function intended for use with
regsvr32.exe, but adversaries commonly call it with
Rundll32 as a means of bypassing application controls. We’ve observed a variety of threats leveraging the
DllRegisterServer function in this way. Common examples include the following commands:
"C:\Windows\system32\cmd.exe" /c start rundll32 \cdfabdefacdeabcdfabdefacdeabcdfabdefacdfbf.cdfabdefacdeabcdfabdefacdeabcdfabdefacdfbf,JskFxphZumezrjnI
Last but not least, we detect adversaries abusing alternate data streams to conceal malicious content inside otherwise normal seeming DLL export functions. Take the following as an example.