![]() abusing legitimate DLLs or export functions to perform malicious actions.using legitimate functions to bypass application control solutions.How do adversaries use Rundll32?Īdversaries abuse Rundll32 in many ways, but we commonly observe the following generic patterns of behavior: Under certain conditions, particularly if you lack controls for blocking DLL loads, the execution of malicious code through Rundll32 can bypass application control solutions. Executing malicious code as a DLL is relatively inconspicuous compared to the more common option of executing malicious code as an executable. ![]() Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations.įrom a practical standpoint, Rundll32 enables the execution of dynamic link libraries (DLL). Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
June 2023
Categories |