[H/B/M][Unique Hunt Number]

[claire-st]

Hunt Type

{"B (Baseline)"=>"Focused on identifying deviations from typical behavior."}

Submitter

@claire-st

Hypothesis / Hunt Idea

Adversaries are exploiting the native Windows process Rundll32 in order to execute malicious code and bypass application control solutions

Tactic

Execution, Defense Evasion

Notes

• The scope of this hunt could become too wide without defining an area of focus
• For one hunt it might be best to pursue one category of visibility such as command, process, or module monitoring

Tags

Execution #Defense Evasion #LOLBIN #Rundll32

Explain the importance of this hypothesis and its potential consequences.

• A successful attack usually means legitimate DLLs or functions are abused, or malicious adversary-supplied DLLs are executed
• Objectives may be accomplished on payload installation/execution, credential theft, or broader goals such as data theft
• Associated with QakBot, APT28, APT29, Lazarus Group, and many more

Outline the next steps required to develop or investigate this hypothesis.

Examples of what to look for:

• No DLL in the CLI or no CLI at all
• Execution of a script downloaded remotely
• JavaScript execution
• Outbound connections being made
• Suspicious use of flags such as -sta
• Suspicious use of functions that are known to be misused such as DllRegisterServer or MiniDump
• Unexpected or uncommon filepaths/filenames
• Unexpected process lineage

References

• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation
• https://redcanary.com/threat-detection-report/techniques/rundll32/
• https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
• https://attack.mitre.org/techniques/T1218/011/

[letswastetimee]

Approved.