![rundll32 exe process information rundll32 exe process information](https://bestpctips.com/wp-content/uploads/2020/11/image-280.png)
The use of that export function is a telltale sign you are dealing with Cobalt Strike. The following illustrates a generic example of an adversary using DllRegisterServer to bypass application controls.Īnother detectable example we encounter frequently with Rundll32 involves Cobalt Strike, which leverages the StartW function to load DLLs from the command line. However, we’ve also seen several threats-from droppers for Qbot, Dridex, and others to ransomware such as Egregor and Maze-leverage it as a mechanism to bypass application controls. We’ve observed adversaries leveraging this technique to retrieve cached credentials from lsass.exe, which is illustrated below.ĭllRegisterServer is a legitimate function of Rundll32 that is used for a variety of innocuous reasons.
Rundll32 exe process information software#
Under certain conditions, particularly if you lack controls for blocking DLL loads, the execution of malicious code through Rundll32 can bypass application controls.īeyond DLLs, Rundll32 can also execute JavaScript via the RunHtmlApplication function.Īdversaries abuse Rundll32 in a wide variety of ways, so we’ll limit our focus to variations we encounter regularly.Īdversaries often leverage Rundll32 to load code from DLLs within world-writable directories (e.g., the Windows temp directory), a pattern of behavior that you might see from legitimate enterprise software as well as not-so-legit tools like Cobalt Strike.Īs we’ve covered on the Red Canary blog, adversaries use Rundll32 to load the legitimate comsvcs.dll, which calls the MiniDump function, allowing adversaries to dump the memory of certain processes.
![rundll32 exe process information rundll32 exe process information](https://wethegeek.com/wp-content/uploads/2021/02/Screenshot-2021-02-18-at-4.53.56-PM-min.png)
Additionally, adversaries are known to abuse export functionality in legitimate DLLs, including those that can facilitate connection to network resources to bypass proxies and evade detection. Executing malicious code as a DLL allows an adversary to keep their malware from appearing directly in a process tree, as a directly executed EXE would. This necessity and ubiquity makes Rundll32 an attractive target for adversaries intent on blending in.įrom a practical standpoint, Rundll32 enables the execution of native dynamic link libraries (DLL). It is a functionally necessary component of the Windows operating system that can’t be simply blocked or disabled. Like many of the most prevalent ATT&CK techniques, Rundll32 is a native Windows process that’s installed by default on nearly every Microsoft computer dating back to Windows 95.