{"id":31080147,"url":"https://github.com/compcode1/ioc2-process-spawn-dll","last_synced_at":"2025-09-25T12:29:02.999Z","repository":{"id":292532324,"uuid":"981191220","full_name":"Compcode1/ioc2-process-spawn-dll","owner":"Compcode1","description":"In this second case study of the structured IOC triage series, we examined a subtle but dangerous host-based compromise involving the abuse of the Windows utility `rundll32.exe` to execute a malicious DLL payload.","archived":false,"fork":false,"pushed_at":"2025-05-10T14:53:39.000Z","size":0,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-10T15:38:39.218Z","etag":null,"topics":["cybersecurity","dll-investigation","edr-telemetry","ioc-analysis","windows-forensics"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Compcode1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-10T14:47:06.000Z","updated_at":"2025-05-10T14:55:30.000Z","dependencies_parsed_at":"2025-05-10T15:49:34.246Z","dependency_job_id":null,"html_url":"https://github.com/Compcode1/ioc2-process-spawn-dll","commit_stats":null,"previous_names":["compcode1/ioc2-process-spawn-dll"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Compcode1/ioc2-process-spawn-dll","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fioc2-process-spawn-dll","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fioc2-process-spawn-dll/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fioc2-process-spawn-dll/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fioc2-process-spawn-dll/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Compcode1","download_url":"https://codeload.github.com/Compcode1/ioc2-process-spawn-dll/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fioc2-process-spawn-dll/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275407963,"owners_count":25459380,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-16T02:00:10.229Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","dll-investigation","edr-telemetry","ioc-analysis","windows-forensics"],"created_at":"2025-09-16T11:02:10.418Z","updated_at":"2025-09-16T11:04:52.943Z","avatar_url":"https://github.com/Compcode1.png","language":"Jupyter Notebook","readme":"In this second case study of the structured IOC triage series, we examined a subtle but dangerous host-based compromise involving the abuse of the Windows utility `rundll32.exe` to execute a malicious DLL payload. Unlike more overt attacks, this technique blended into legitimate system behavior, requiring layered investigation across Windows Event Logs, EDR telemetry, registry keys, and file system artifacts.\n\n**Attacker Narrative**\n\nThe adversary in this case didn’t kick down the door or pick the lock—they walked in through the front entrance, wearing a city uniform and driving a sanitation truck. They exploited a system-native utility (`rundll32.exe`) to deliver a weaponized DLL in plain sight, bypassing suspicion and avoiding noisy payload droppers or shellcode.\n\nWhat made this especially deceptive was the attacker’s use of persistence infrastructure: the DLL was configured to auto-launch via a `Run` registry key and was also embedded into a background service. These redundant execution paths suggest an attacker seeking both reliability and stealth.\n\n**Investigation Highlights**\n\n- **Windows Security Event Log (4688)** captured the initial `rundll32.exe` process creation with suspicious command-line parameters.\n- **EDR telemetry** corroborated the anomalous execution path and flagged the process for behavioral deviations.\n- **Registry analysis** revealed persistence via the `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` key.\n- **A background service** was registered to trigger the same DLL, indicating a second persistence channel.\n\n**Cross-Layer Insight**\n\nThis case demonstrated clear pivot points between:\n- **Layer 1** (Process Execution)\n- **Layer 2** (Startup and Persistence)\n- **Layer 3** (Background Service Infrastructure)\n\nThe attack's execution strategy moved fluidly across these layers, reinforcing the need for defenders to analyze indicators not in isolation, but as behavioral threads woven through OS subsystems.\n\n**Analyst Reflection**\n\nWhile the forensic team successfully captured disk-based indicators, **volatile memory capture was not exercised**. In this case, disk-based indicators included the suspicious DLL file itself, the rundll32.exe process creation event (Event ID 4688), a persistent Run key in the Windows registry, and a registered Windows service configured to invoke the same DLL—each leaving concrete forensic artifacts on disk.\n\n\nWhile the forensic team successfully captured disk-based indicators—including the malicious DLL, a process creation event (4688), a persistent Run key, and a Windows service—all of which were recovered through post-mortem analysis, volatile memory capture was not exercised. Because this case involved direct DLL execution (not injection), disk-based forensics were sufficient. However, in future investigations involving stealthier execution techniques like DLL injection or process hollowing, live memory analysis will be essential for capturing in-memory artifacts and runtime behavior.\n\nThis case continues the adversary-first, structured triage model defined in the Engineered Cybersecurity Architecture. It reflects real-world analyst workflows and emphasizes investigative rigor, system-layer awareness, and attacker behavior over static IOC lists.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fioc2-process-spawn-dll","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompcode1%2Fioc2-process-spawn-dll","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fioc2-process-spawn-dll/lists"}