Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components. We also occasionally see Cobalt Strike and a wide variety of other tools leverage Rundll32 to load code from DLLs within world-writable directories (e.g., the Windows temp directory). We reliably observe Cobalt Strike leveraging Rundll32 to call the StartW export function and load DLLs from the command line. More broadly, adversaries particularly like to leverage export functions capable of connecting to network resources and bypassing proxies to evade security controls.įor its part, the command and control (C2) tool Cobalt Strike often delivers beacon payloads in the form of DLLs. We’ve seen adversaries use Rundll32 to load comsvcs.dll, call the MiniDump function, and dump the memory of certain processes-oftentimes LSASS. We’ve observed a variety of threats leveraging the DllRegisterServer function in this way, including Grief ransomware, IcedID, Qbot, TrickBot, and Ursnif, among others.Īdversaries also abuse legitimate DLLs and their export functions.
How do adversaries use Rundll32?Īdversaries abuse Rundll32 in many ways, but we commonly observe the following generic patterns of behavior: Under certain conditions, particularly if you lack controls for blocking DLL loads, the execution of malicious code through Rundll32 can bypass application control solutions. Executing malicious code as a DLL is relatively inconspicuous compared to the more common option of executing malicious code as an executable. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations.įrom a practical standpoint, Rundll32 enables the execution of dynamic link libraries (DLL). Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things.
0 kommentar(er)
