SolarWinds attack and rundll32.exe
Dynamic-link
library (DLL) is Microsoft's implementation of the shared
library concept in the Microsoft Windows and OS/2 operating
systems. These libraries usually have the file extension DLL.
Typically, there’s
no technical way to launch a DLL file directly. Hence, Windows uses a
rundll32.exe process to execute the DLL files.
But we have seen
these days that attackers use rundll.32 to execute malicious file,
recently attacker target SolarWinds in which attacker used rundll.exe
processor, I will share the details below. How it happens, I used the below
information from the Microsoft security blog, where they explained how the
attach happened.
The
attackers achieved this by having the SolarWinds process create an Image File
Execution Options (IFEO) Debugger registry value for the process dllhost.exe.
This is a known MITRE ATT&CK technique used for persistence, but
it could also be abused to trigger execution of malicious code when a certain
process is launched. Once the registry value is created, the attackers simply
wait for the occasional execution of dllhost.exe, which might happen
naturally on a system. This execution triggers a process launch of wscript.exe configured
to run the VBScript file dropped.
The VBScript in
turn runs rundll32.exe, activating the Cobalt Strike DLL. using a
clean parent/child process tree completely disconnected from the SolarWinds
process. Finally, the VBScript removes the previously created IFEO value to
clean up any traces of execution and also deletes the following registry keys
related to HTTP proxy:
- HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\AutoDetect
- HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\AutoConfigURL
So it’s very
important to check rundll32.exe running which file or process, is that genuine
or not? we get such information in EDR workflow data where it explain all the
process run with a very clear diagram. But I am writing this blog to explain
basic steps to deal with rundll32.exe, for normal user its difficult to use EDR
AV and to understand how it works but they can follow few things that can help
to monitor and protect his own computer.
rundll32.exe helps
to run programs in DLL (Dynamic Link Library) files, because DLL file cannot
launch directly
We can check which
files are running by rundll32.exe by below command.
tasklist /m /fi
"imagename eq rundll32.exe
You will see the
list of details of what services are being run by rundll32.exe
Second
investigation: Find the location of rundll32.exe file, if it is not running at
right location means it is not the right file.
Go to task bar,
right click on rundll32.exe, and open the location
The correct file
path is: C:\Windows\System32\rundll32.exe.
Check the filename
carefully sometime attacker user same type of file name like. Rund1l32.exe at
the place of L they use 1 or something similar
