Behavioural Detections

rundll32 being the default "spawnto" for Cobalt Strike has been a thing for a long time and is now a common point of detection. The service binary payload used by psexec also uses this by default, which is why we see those Beacons running as rundll32.exe.

To change the post-ex process, use the spawnto command (sysnative and syswow64 paths should be used rather than system32):

spawnto x64 %windir%\sysnative\dllhost.exe

spawnto x86 %windir%\syswow64\dllhost.exe

We can check now its own process name and confirm that is dllhost:

powerpick Get-Process -Id $pid | select ProcessName

To reset it to default:

spawnto

We can also include this changes into the maleable profile to make them work as defautl.

When moving laterally with psexec, Beacon will attempt to use the spawnto setting from your malleable C2 profile. However, it cannot use environment variables (such as %windir%), so will fall back to rundll32 in those cases. We can override this at runtime to specify an absolute path instead:

ak-settings spawnto_x64 C:\Windows\System32\dllhost.exe

ak-settings spawnto_x86 C:\Windows\SysWOW64\dllhost.exe

Last updated