Unusual Network Connection via RunDLL32

Attackers often abuse the rundll32.exe utility to execute malicious Dynamic Link Libraries (DLLs), blending their activity with legitimate system operations. This detection identifies instances where rundll32.exe establishes outbound network connections, particularly when executed without command-line arguments. Such behavior deviates from typical usage and may indicate command and control (C2) activity or other malicious actions. The rule is designed to detect command and control activity where adversaries are using rundll32.exe without arguments to make external network connections. The rule uses data from Elastic Defend, Sysmon, and SentinelOne to detect this behavior. The rule specifically excludes connections to well-known private and reserved IP ranges to reduce false positives.

Attack Chain

1. An attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.
2. The attacker attempts to execute a malicious DLL using rundll32.exe without specifying arguments, which is an anomaly.
3. rundll32.exe is invoked with a command line resembling: rundll32.exe <path_to_dll>.
4. The malicious DLL initiates an outbound network connection to an external IP address.
5. The network connection attempts to bypass firewall rules by masquerading as a legitimate system process.
6. The attacker uses this connection to establish a command and control channel.
7. Data exfiltration or further exploitation activities occur over the established C2 channel.
8. The attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.

Impact

Successful exploitation allows attackers to establish command and control channels on compromised systems, leading to potential data exfiltration, lateral movement within the network, and deployment of ransomware. This can result in significant financial losses, reputational damage, and disruption of business operations. The impact is broad, affecting any Windows environment where rundll32.exe is used.

Recommendation

• Deploy the Sigma rule Detect Unusual Network Connection via RunDLL32 to your SIEM and tune for your environment to detect unusual network connections made by rundll32.exe.
• Enable Sysmon process creation and network connection logging to capture necessary events for the Sigma rule.
• Investigate any alerts generated by the Sigma rule, focusing on the parent processes of rundll32.exe and the destination IP addresses of the network connections.
• Review and harden firewall rules to prevent unauthorized outbound connections from system processes like rundll32.exe.
• Implement application control policies to restrict the execution of unsigned or untrusted DLLs via rundll32.exe.