Process access monitoringĬross-process events warrant monitoring as well, considering the high volume of credential theft activity we observe that involves Rundll32 opening a handle into LSASS. Since adversaries can rename binaries, you’re better off identifying a process via binary metadata rather than executable filename. Nearly all of our Rundll32-related detection analytics look for the execution of a process that seems to be Rundll32 in conjunction with either another process (parent or child), a corresponding command line, or some other data source. Process monitoring is another useful data source for observing malicious execution of Rundll32. Capturing command-line activity will capture the both name of the DLL that was launched by rundll32.exe and any additional command-line arguments. Eight of our top 10 detection analytics for Rundll32 include a command-line component. Command monitoringĬommand-line parameters are some of the most reliable telemetry for detecting malicious use of Rundll32, since adversaries often need to pass command-line arguments for Rundll32 to execute. These telemetry sources are widely available via commercial EDR products, native logging, and free or open source tooling. Network connection and module-related telemetry can provide additional enrichment for detections as well. Like much of Red Canary’s detection logic for native Windows binaries, analytics for catching adversaries who abuse Rundll32 lean heavily on process, process access, and command monitoring. Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components. "rundll32.exe" C:\Users\dmaddux:temp.dll,Start Associated threats Last but not least, we detect adversaries abusing alternate data streams to conceal malicious content inside otherwise normal seeming DLL export functions. Common examples include the following commands: "C:\Windows\system32\cmd.exe" /c start rundll32 \cdfabdefacdeabcdfabdefacdeabcdfabdefacdfbf.cdfabdefacdeabcdfabdefacdeabcdfabdefacdfbf,JskFxphZumezrjnIĬ:\users\public\delay(1).txt,DllRegisterServer We’ve observed a variety of threats leveraging the DllRegisterServer function in this way. For example, DllRegisterServer is a DLL export function intended for use with regsvr32.exe, but adversaries commonly call it with Rundll32 as a means of bypassing application controls. ![]() We commonly observe adversaries executing Rundll32 with unusual command-line parameters, from unexpected file paths, with uncommon filenames that do not use DLL or PE file extensions for execution, or with obfuscated export functions. Similar to minidump, we commonly see adversaries injecting rundll32.exe into lsass.exe to gain access to the memory contents of LSASS. More broadly, adversaries particularly like to leverage export functions capable of connecting to network resources and bypassing proxies to evade security controls. We’ve seen adversaries use Rundll32 to load comsvcs.dll, call the minidump function, and dump the memory of certain processes-oftentimes LSASS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |