Skip to content
Threat Feed
high advisory

Rundll32 Execution with DLL Stored in Alternate Data Stream (ADS)

Adversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.

Rundll32 is a legitimate Windows utility used to execute DLLs. However, adversaries can abuse this functionality to execute malicious code while evading detection. This technique involves storing a malicious DLL within an Alternate Data Stream (ADS) of a file. ADS allows hiding data within existing files, making it less likely to be discovered by standard file system scans. When rundll32.exe is then used to execute the DLL from the ADS, it can bypass application whitelisting and other security measures, as the execution appears to originate from the trusted rundll32.exe process. This technique has been observed across various threat actors seeking to establish persistence or execute arbitrary code.

Attack Chain

  1. An attacker gains initial access to the system through methods like phishing or exploiting a vulnerability.
  2. The attacker uploads a malicious DLL to the target system.
  3. The attacker uses a command-line utility to write the DLL into an Alternate Data Stream (ADS) of an existing file, such as a text file or image. For example: echo "DLL content" > legitimate_file.txt:malicious.dll.
  4. The attacker uses rundll32.exe to execute the DLL stored in the ADS. The command typically looks like: rundll32.exe "C:\ads\file.txt:ADSDLL.dll",DllMain.
  5. Rundll32.exe loads and executes the malicious DLL from the ADS.
  6. The malicious DLL performs its intended actions, such as establishing persistence, downloading additional payloads, or exfiltrating data.
  7. The attacker may use additional techniques to further conceal their activity, such as obfuscating the command line or using process injection.

Impact

Successful exploitation allows arbitrary code execution on the targeted system. Attackers can use this technique to establish persistence, escalate privileges, bypass security controls, and deploy further malware. The use of ADS makes detection more challenging, as the malicious DLL is hidden within a seemingly benign file. This can lead to data breaches, system compromise, and potential financial losses.

Recommendation

  • Enable Sysmon process creation logging to capture the command-line arguments used with rundll32.exe (as used in the Sigma rules below).
  • Deploy the Sigma rules in this brief to your SIEM to detect suspicious rundll32.exe executions from ADS.
  • Monitor for unusual file modifications that involve writing data to alternate data streams.
  • Implement application whitelisting to restrict the execution of unauthorized executables.

Detection coverage 2

Detect Rundll32 Execution with DLL Stored in ADS

high

Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).

sigma tactics: defense_evasion techniques: T1564.004 sources: process_creation, windows

Detect Rundll32 Execution with ADS DLL - Alternate Method

medium

Detects execution of rundll32 where the DLL is in ADS using an alternate pattern.

sigma tactics: defense_evasion techniques: T1564.004 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →