A penetration tester is using rundll32.exe to execute a payload from a malicious DLL on a compromised Windows host. The goal is to make the execution appear as legitimate system activity. Which statement accurately describes how rundll32.exe facilitates this?
It injects the DLL's code directly into the memory space of another critical process, such as lsass.exe or explorer.exe.
It executes the DLL by calling a specific, exported function, and since rundll32.exe is a trusted system process, the activity is less likely to raise alarms.
It modifies the registry to associate the malicious DLL with a common file type, causing it to execute automatically when a user logs in.
It renames the malicious DLL to match a legitimate system file, which allows the operating system to load it without needing a function name.
The correct answer accurately describes the primary use of rundll32.exe as a LOLBin. It is a legitimate, signed Windows binary used to run code from DLLs by calling specific exported functions. Because the parent process is a trusted system utility, it can help evade simple detection mechanisms that look for unsigned or unknown processes. The other options describe different, distinct techniques: modifying the registry for persistence, process injection, and file masquerading without providing a required function name.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is rundll, and how does it work?
Open an interactive chat with Bash
What is an exported function in a DLL?
Open an interactive chat with Bash
How does using a standard Windows loader like rundll minimize suspicion?