DEV Community

Saravana Gautham
Saravana Gautham

Posted on

Abusing LOLBins: rundll32.exe Lab & Sysmon Detection

#lolbins #cybersecurity #sysmon #beginners

1. Introduction

When attackers compromise a Windows system, they don’t always drop flashy malware. Instead, they often live off the land by abusing built-in Windows tools that administrators themselves rely on. These tools, known as LOLBins (Living-Off-the-Land Binaries), are signed by Microsoft and trusted by the OS. Because of this, their misuse often slips past antivirus and security defenses.

In this post, we’ll explore what LOLBins are, why they are stealthy, and walk through a hands-on lab where a simple DLL is executed using the LOLBin rundll32.exe. Finally, we’ll flip perspectives to the defender’s side and see how Sysmon logs reveal the tell-tale signs of abuse.

2. What are LOLBins?

LOLBins are legitimate executables and scripts that come pre-installed with operating systems (like Windows). Attackers can abuse them to perform malicious actions without dropping custom malware.

Examples:

  • rundll32.exe
  • certutil.exe
  • powershell.exe
  • mshta.exe

Since they are signed by Microsoft and widely used for admin tasks, their execution often bypasses security controls and raises less suspicion.

👉 How attackers use LOLBins:

  • Downloading payloads
  • Executing arbitrary code
  • Lateral movement
  • Data exfiltration

👉 How defenders detect misuse:

  • Monitor unusual command-line arguments
  • Trace parent-child process relationships
  • Analyze telemetry from Sysmon or EDR tools

3. Why are LOLBins Stealthy?

LOLBins are stealthy because:

  • They are trusted, signed binaries already present in Windows.
  • They allow attackers to avoid dropping new executables (lowers AV detection risk).
  • They can proxy malicious commands through normal admin utilities (e.g., certutil for downloads, rundll32 for DLL execution).
  • Their execution blends in with normal system/admin behavior.
  • They often run with inherited or elevated privileges, giving attackers powerful access while appearing benign.

4. Lab Setup

4.1 Basic Windows-Only Setup

In this setup, I created a .dll file locally and executed it with rundll32.exe.

  • The Hello.dll file is harmless and only pops up a message box.
  • But an attacker could replace it with malicious code.

What happened?

  • I compiled a DLL with an exported function.
  • Used rundll32.exe to execute it.
  • Proof: the pop-up “Hello from rundll32”.

Malicious file created locally

Malicious .dll file executed using rundll32

Why rundll32.exe?

  • Built-in LOLBin, signed by Microsoft
  • Loads and executes arbitrary DLLs
  • Can bypass application whitelisting controls

👉 Significance: even though the message box is harmless, the same method could load a Cobalt Strike beacon, keylogger, or ransomware.

4.2 Advanced: Kali + Windows Setup

Here I simulated a more realistic attacker scenario using Kali + Windows.

  1. Attempted to download Hello.dll from Kali to Windows using certutil.
  2. WSC blocked the download.
  3. Switched to PowerShell Invoke-WebRequest and successfully downloaded it.
  4. Executed DLL using rundll32.exe.

WSC detects malicious use of certutil

Using Invoke-WebRequest to download malicious file

Executing the malicious file using rundll32

4.3 Blue-Team Activities

Sysmon Event ID 1 (Process Creation) revealed the suspicious process:

  • CommandLine → shows rundll32.exe loading a DLL from Desktop (unusual).
  • ParentProcesscmd.exe, confirming it was manually launched.
  • User & IntegrityLevel → shows who executed it and privilege level.
  • Hashes → defenders can track the specific DLL in the future.

Sysmon EVENT 1 log details

Key Fields to Watch in Event ID 1:

  1. ImageC:\Windows\System32\rundll32.exe
  2. CommandLinerundll32.exe C:\Users\testuser1\Desktop\Hello.dll,HelloExport (suspicious location)
  3. CurrentDirectoryC:\Users\testuser1\Desktop\ (should normally be System32)
  4. UserANNU\testuser1
  5. ParentImagecmd.exe (manual execution chain)
  6. Hashes → unique fingerprint (can be checked in VirusTotal)
  7. IntegrityLevelHigh (ran with elevated permissions)

5. Conclusion

LOLBins highlight a critical reality in modern security: attackers don’t always need to bring their own tools. By abusing trusted binaries like rundll32.exe, they can execute arbitrary code, evade detection, and blend into normal activity.

Even a harmless “Hello World” DLL shows how dangerous this technique can be if swapped for real malware.

👉 For defenders: monitor command-line arguments, parent-child processes, and execution paths (like DLLs from user directories). Understanding these abuse cases helps red teams demonstrate risk and blue teams detect attacks.

Top comments (0)