Rundll32.EXE Calling DllRegisterServer Export Function Explicitly

    Wednesday, September 4, 2024 In: Threat Research Print

    Date: 09/04/2024

    Severity: Medium

    Summary

     "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly" refers to using the `rundll32.exe` utility to invoke the `DllRegisterServer` function of a Dynamic Link Library (DLL). This function is commonly used to register a DLL with the Windows operating system, making its functionalities available to other applications. By explicitly calling this function, you can ensure that the DLL's components are properly registered, which is often necessary for installing or configuring software that relies on that DLL.

    Indicators of Compromise (IOC) List

    Image

    '\rundll32.exe'

    OriginalFileName

    'RUNDLL32.EXE'

    CommandLine

    'DllRegisterServer'

    ':\Program Files (x86)'

    ':\Program Files\'

    ':\Windows\System32\'

    ':\Windows\SysWOW64\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((Resourcename in ("Sysmon") AND eventtype = "1") AND image = "\rundll32.exe") AND originalfilename = "RUNDLL32.EXE") AND commandline in ("DllRegisterServer",":\Program Files (x86)",":\Program Files",":\Windows\System32",":\Windows\SysWOW64")

    Detection Query 2

    (((Technologygroup = "EDR" ) AND image = "\rundll32.exe") AND originalfilename = "RUNDLL32.EXE") AND commandline in ("DllRegisterServer",":\Program Files (x86)",":\Program Files",":\Windows\System32",":\Windows\SysWOW64") 

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.