Command Shell Activity Started via RunDLL32
Adversaries abuse RunDLL32, a legitimate Windows utility, to execute command shells (cmd.exe or PowerShell) for malicious purposes, bypassing security controls.
Attackers commonly abuse RunDLL32 to execute malicious code by proxying command shell execution. This technique allows attackers to bypass application control and execute arbitrary commands. This activity typically involves rundll32.exe spawning cmd.exe or powershell.exe. Defenders need to monitor for this activity, especially when unexpected DLLs or functions are being executed, as this can indicate malicious intent. This activity has been observed across multiple environments where adversaries attempt to gain a foothold or execute commands discreetly.
Attack Chain
- The attacker gains initial access to the system through an existing vulnerability or compromised credentials.
- The attacker uses RunDLL32 to execute a malicious DLL.
rundll32.exe <path_to_dll>,<export_name> - The malicious DLL contains code to execute a command shell.
- RunDLL32 spawns a command shell (cmd.exe or powershell.exe).
- The command shell executes commands specified by the attacker.
- The attacker performs reconnaissance activities, such as gathering system information or network configurations using
ipconfigorwhoamicommands executed within the spawned shell. - The attacker attempts lateral movement by using the command shell to access other systems on the network.
- The attacker achieves their final objective, such as data exfiltration or establishing persistence.
Impact
Successful exploitation allows attackers to execute arbitrary commands, potentially leading to credential compromise, data theft, or system compromise. The impact is typically limited to the privileges of the user account under which the command shell is running, but can lead to domain compromise if a privileged account is targeted.
Recommendation
- Monitor process creation events for cmd.exe or powershell.exe with rundll32.exe as the parent process, excluding known legitimate uses (rule: "Detect Command Shell Activity Started via RunDLL32").
- Inspect the command-line arguments of rundll32.exe processes to identify any suspicious or unusual DLLs or functions being executed.
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
- Enable Sysmon process-creation logging to activate the rules above.
Detection coverage 2
Detect Command Shell Activity Started via RunDLL32
lowIdentifies command shell activity (cmd.exe or powershell.exe) started via RunDLL32, excluding known legitimate uses.
Detect Suspicious RunDLL32 Command Line Parameters
mediumDetects rundll32.exe being used with unusual or suspicious parameters.
Detection queries are available on the platform. Get full rules →