HackTool - F-Secure C3 Load by Rundll32
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - F-Secure C3 Load by Rundll32 | Standard | Windows | Defense Evasion: System Binary Proxy Execution - Rundll32 (T1218.011) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Rundll32.exe is a legitimate Windows utility used to execute code from DLL files. Attackers commonly exploit Rundll32 to proxy malicious DLL execution, evade detection, and leverage living-off-the-land techniques. F-Secure C3 (Cubert) is an advanced red team command, control, and relay framework, often used by both security professionals and threat actors. This rule detects suspicious invocations of Rundll32.exe used to load components associated with the F-Secure C3 toolkit, based on command-line patterns, module names, or network behavior.
Severity
Critical
Rule journey
Attack chain scenario
Initial access → Execution → Abuse of Rundll32.exe loading F-Secure C3 component → Establishment of covert command and control channel → Impact
Impact
- Defense evasion
- Unauthorized remote access
- Malicious code execution
- Lateral movement
- Data exfiltration
Rule Requirement
Prerequisites
Use the Group Policy Management Console to audit process creation and process termination.
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.
Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.
Criteria
Action1: actionname = "Process started" AND COMMANDLINE contains "rundll32.exe" AND COMMANDLINE contains ".dll" AND COMMANDLINE contains "StartNodeRelay" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: System Binary Proxy Execution - Rundll32 (T1218.011)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
When this rule is triggered, you’re notified of a suspicious use of Rundll32.exe to load an F-Secure C3 module. This enables you to scrutinize process creation, analyze DLL file origins, monitor network connections originating from Rundll32.exe, and promptly identify attempts to abuse LOLBins (living-off-the-land binaries) for covert command and control.
Author
Alfie Champion (ajpc500)
Future actions
Known False Positives
This rule may be triggered during authorized internal red team exercises or legitimate use of C3 by security teams for sanctioned testing. Always validate the activity against approved red team schedules, consult with security operations or penetration testing teams, and review command-line parameters and source DLL paths for legitimacy.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Reconfiguration: Update allowlists and red team schedules, refine detection rules to reduce false positives, and continue monitoring for variants in Rundll32 and C3 Toolkit usage.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1050 |
| Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control. |
