Application Bypass with DllRegisterServer Function

calendar Mar 26, 2024 · attack.defense_evasion attack.t1218 attack.t1218.011  ·
Share on: linkedin copy

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. Adversaries will often supply the same DLL to rundll32.exe as well. Executing the DllRegisterServer export function with rundll32.exe is tradecraft that’s unique to adversary behavior and is rarely seen in legitimate scenarios. We’ve observed this behavior in threats including Qbot, Ursnif, and Zloader, to name a few examples. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Application Bypass with DllRegisterServer Function
 2id: 06c7a5b8-24dc-482c-8203-c674a7e05c56
 3status: experimental
 4description: |
 5    DLLs that are designed to be loaded by Regsvr32 are expected to have a 
 6    DllRegisterServer export function implemented. Adversaries will often 
 7    supply the same DLL to rundll32.exe as well. Executing the DllRegisterServer 
 8    export function with rundll32.exe is tradecraft that’s unique to adversary 
 9    behavior and is rarely seen in legitimate scenarios. We’ve observed this 
10    behavior in threats including Qbot, Ursnif, and Zloader, to name a few examples. 
11    Part of the RedCanary 2024 Threat Detection Report.    
12references:
13    - https://redcanary.com/threat-detection-report/techniques/rundll32/
14author: RedCanary, Sigma formatting by Micah Babinski
15date: 2024/03/21
16tags:
17    - attack.defense_evasion
18    - attack.t1218
19    - attack.t1218.011
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        Image|endswith: '\rundll32.exe'
26        CommandLine|contains: 'DllRegisterServer'
27    condition: selection
28falsepositives:
29    - Unknown
30level: low```

References

Related rules

to-top