Re: Name Rundll32.exe Comsvcs.dll File Version Not Loaded
Cre Wallace
However, thanks to the Cybereason Defense Platform, we could examine the history, all loaded modules and all other relevant information and also visualize the processes tree to notice that rundll32.exe is the parent of cmd.exe:
We have seen that rundll32.exe is a powerful asset for adversaries to proxy execution of arbitrary and malicious code. This binary has another ace in the hole, it could leverage comsvcs.dll (a Microsoft-signed DLL) which exports a function called MiniDumpW that rely on MiniDumpWriteDump to dump lsass.exe (Local Security Authority Subsystem Service) process memory to retrieve credentials.
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe DLLname, DLLfunction).
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.[3][4] DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).
Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Typical command-line usage of rundll32.exe is "rundll32.exe DllFile,EntryPoint" where DllFile is the name of the DLL file being called and EntryPoint the name of the entry point in the DLL file.
Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.
Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives.
Command-line parameters are some of the most reliable telemetry for detecting malicious use of Rundll32, since adversaries often need to pass command-line arguments for Rundll32 to execute. Eight of our top 10 detection analytics for Rundll32 include a command-line component. Capturing command-line activity will capture the both name of the DLL that was launched by rundll32.exe and any additional command-line arguments.
Consider monitoring for instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. The following pseudo-analytic applies specifically to adversaries who use the MiniDump export functionality of comsvcs.dll to dump the contents of LSASS, but this logic could be adapted to detect other malicious activity as well.
One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.
After seeing this command, it would be a good idea to look at all activity targeted toward LSASS for this endpoint. To do that, I can use the query filename.dst = 'lsass.exe' and start to investigate by opening up meta keys like the ones below. Something that stands out as interesting is the usage of rundll32.exe to load a function called minidump from the comsvcs.dll:
Pivoting into the Events view, we can see the full command a lot easier. Here we can see that rundll32.exe is loading the MiniDump function from comsvcs.dll and passing some parameters, such as the process ID for dumping (which was found by the initial process enumeration), location and name for the dump, and the keyword full:
When the user double clicks or opens the lnk file, they inadvertently start a hidden file, a DLL (namr.dll) containing the Bumblebee malware loader. From there, the loader reached out to the Bumblebee C2 servers. At first, things remained fairly quiet, just C2 communications; until around 3 hours later, Bumblebee dropped a Cobalt Strike beacon named wab.exe on the beachhead host. This Cobalt Strike beacon was subsequently executed and then proceeded to inject into various other processes on the host (explorer.exe, rundll32.exe). From these injected processes, the threat actors began discovery tasks using Windows utilities like ping and tasklist.
This detection identifies 'PkgMgr.exe' spawning 'Dism.exe'. An actor can bypass UAC by dropping a malicious DLL named DismCore.dll in the C:\Windows\SysWOW64\ or C:\Windows\System32\ directory. The actor will then run pkgmgr.exe with the /n flag, which causes DISMHost.exe to run with elevated permissions. DISMHost will search for DismCore.dll in C:\Windows\SysWOW64\ and C:\Windows\System32\ before searching the correct directory, C:\Windows\SysWOW64\Dism\DismCore.dll. The malicious DismCore.dll placed in one of those directories will be loaded with elevated privileges.
Examine any binaries downloaded by the renamed 'BITSAdmin.exe'. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
Examine any child processes of or DLLs loaded by the renamed RunDLL32.exe If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
Qakbot kept defenders on their toes, sometimes daily, with the constantly changing entry point names they used. Sometimes, they would follow a predictable pattern, and sometimes, they would just be random words. Other times, they would use the same entry point name expected for another library. But near the end of their most recent run, they just stopped using entry point names completely. This turned out to be an extremely rare expression of possible rundll32 usage. This prompted the creation of a detection that looks for process creation events where either the process or original file name is rundll32.exe, with the following regular expression that searches the command line:
The malware was configured to send the username and hostname to IP 44[.]238[.]74[.]84 on TCP/22 as part of the victim check-in with the C2 and establish VNC connections to the same IP on port TCP/5900. Once a successful connection is established to the server IP, the embedded second stage DLL payload from TightVNC.exe is loaded in memory to establish C2 communication to a known compromised domain.
Unfortunately, what makes DLL files so convenient and efficient, also makes them extremely vulnerable to problems. If something happens to a shared DLL file, either it goes missing or gets corrupted in some way, it can generate a "runtime" error message. Runtime is pretty self-explanatory; it means that these errors are triggered when comsvcs.dll is attempted to be loaded either when Microsoft Office Access 2010 is starting up, or in some cases already running. Some of the most common comsvcs.dll errors include:
aa06259810