Analytics Story: Suspicious Rundll32 Activity

Description

Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.

Why it matters

One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Rundll32 Rename System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities Hunting
Detect Rundll32 Application Control Bypass - advpack System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - setupapi System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - syssetup System Binary Proxy Execution, Rundll32 TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Rundll32 Control RunDLL Hunt System Binary Proxy Execution, Rundll32 Hunting
Rundll32 Control RunDLL World Writable Directory System Binary Proxy Execution, Rundll32 TTP
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 TTP
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 dllregisterserver System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 no Command Line Arguments System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 StartW System Binary Proxy Execution, Rundll32 TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1