Application Bypass with RunDLL32 and DllRegisterServer Function
DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. This detects use of the same DLL to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Application Bypass with RunDLL32 and DllRegisterServer Function
2id: 361f2190-4857-4505-aaf9-588013b390f1
3status: experimental
4description: DLLs that are designed to be loaded by Regsvr32 are expected to have
5 a DllRegisterServer export function implemented. This detects use of the same DLL
6 to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/rundll32/
9author: Micah Babinski
10date: 2022/11/03
11tags:
12 - attack.defense_evasion
13 - attack.t1218
14 - attack.t1218.011
15 - attack.s0650
16 - attack.s0386
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\rundll32.exe'
23 CommandLine|contains: 'DllRegisterServer'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium```
References
-
Adversaries use Rundll32, a native Windows process, to execute malicious code through DLLs, often to bypass application controls.
Read More
Related rules
- Rundll32 with Suspicious Export Functionalities
- Rundll32 with Suspicious Process Lineage
- Rundll32 without Command Line
- DLL Execution via Rasautou.exe
- Indirect Command Execution By Program Compatibility Wizard