Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to execute dll files

Author: Oddvar Moe

Paths: * C:\Windows\System32\rundll32.exe * C:\Windows\SysWOW64\rundll32.exe

Resources: * https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/ * https://github.com/sailay1996/expl-bin/blob/master/obfus.md * https://github.com/sailay1996/misc-bin/blob/master/rundll32.md * https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 * https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code

Detection: * Sigma: net_connection_win_rundll32_net_connections.yml * Sigma: proc_creation_win_rundll32_susp_activity.yml * Elastic: defense_evasion_unusual_network_connection_via_rundll32.toml * IOC: Outbount Internet/network connections made from rundll32 * IOC: Suspicious use of cmdline flags such as -sta^{[Rundll32.exe - LOLBAS Project]}

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
APT19 (713e2963-fbf4-406f-a8cf-6a4489d90439)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
TA505 (b3220638-6682-4a4e-ab64-e7dc4202a3f1)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	APT28 (5b1a5b9e-4722-41fc-a15d-196a549e3ac5)	Tidal Groups	1
TA551 (8951bff3-c444-4374-8a9e-b2115d9125b2)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
APT29 (4c3e48b9-4426-4271-a7af-c3dfad79f447)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
APT32 (c0fe9859-e8de-4ce1-bc3c-b489e914a145)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
APT38 (dfbce236-735c-436d-b433-933bd6eae17b)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	Kimsuky (37f317d8-02f0-43d4-8a7d-7a65ce8aadf1)	Tidal Groups	1
APT41 (502223ee-8947-42f8-a532-a3b3da12b7d9)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Lazarus Group (0bc66e95-de93-4de7-b415-4041b7191f08)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
LazyScripter (12279b62-289e-49ee-97cb-c780edd3d091)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Magic Hound (7a9d653c-8812-4b96-81d1-b0a27ca918b4)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Sandworm Team (16a65ee9-cd60-4f04-ba34-f2f45fcfc666)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Blue Mockingbird (b82c6ed1-c74a-4128-8b4d-18d1e17e1134)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Carbanak (72d9bea7-9ca1-43e6-8702-2fb7fb1355de)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Gamaredon Group (41e8b4a4-2d31-46ee-bc56-12375084d067)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	MuddyWater (dcb260d8-9d53-404f-9ff5-dbee2c6effe6)	Tidal Groups	1
Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	Storm-0501 (de72d564-6487-4cf3-be3e-0a961cf15d5d)	Tidal Groups	1
CopyKittens (6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1
HAFNIUM (1bcc9382-ccfe-4b04-91f3-ef1250df5e5b)	Tidal Groups	Rundll32 (cd5a27c8-9611-41d9-b839-b0ba7daf58b5)	Tidal Software	1