Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
1
Replies

Google Drive File Stream and Secure Endpoint

JustinShields93465
Level 1
Level 1

‎02-15-2023 08:31 AM

Have been seeing "Detected RunDLL32 Suspicious Process" periodically on hosts for Google File Stream.  

Screenshot 2023-02-15 112913.jpg

Screenshot 2023-02-15 112939.jpg

Labels:
0 Helpful
1 Reply 1

Divya Jain
Cisco Employee
Cisco Employee

‎02-28-2023 09:53 AM

Hello,


Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations.

 

 

From a practical standpoint, Rundll32 enables the execution of dynamic link libraries (DLL). Executing malicious code as a DLL is relatively inconspicuous compared to the more common option of executing malicious code as an executable. Under certain conditions, particularly if you lack controls for blocking DLL loads, the execution of malicious code through Rundll32 can bypass application control solutions.

 

 

you can refer to Talos blogs to check for details :

 

https://blog.talosintelligence.com/threat-roundup-1029-1105/

 

Signed binary proxy execution using rundll32.exe or regsvr32.exe - (206)

 

 

Malware has been detected using rundll32.exe or regsvr32.exe to execute additional malicious code. Several different malware families, including Qakbot, BazarLoader, Hafnium and Maze use this techinque.

 

 

This process can be flagged sometimes. You need to evaluate at that instance if anything sususpicious was happening on the pC, probably enable snapshot and check as well,

 

 

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Endpoint through our live Ask the Experts (ATXs) session. Check out Cisco Endpoint Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

 

 

Regards,
Divya Jain

0 Helpful
Customers Also Viewed These Support Documents