Set Anti-Behavioural Detections

rundll32 being the default "spawnto" for Cobalt Strike has been a thing for a long time and is now a common point of detection. The service binary payload used by psexec also uses this by default, which is why you see those Beacons running as rundll32.exe.

You may also set the spawnto inside malleable C2 by including the spawnto_x64 and spawnto_x86 directives inside the post-ex block. This has been done for the current profile.

When moving laterally with psexec, Beacon will attempt to use the spawnto setting from your malleable C2 profile. However, it cannot use environment variables (such as %windir%), so will fall back to rundll32 in those cases. You can override this at runtime with the ak-settings command to specify an absolute path instead.

beacon> ak-settings spawnto_x64 C:\Windows\System32\dllhost.exe
[*] Updating the spawnto_x64 process to 'C:\Windows\System32\dllhost.exe'
[*] artifact kit settings:
[*]    service     = ''
[*]    spawnto_x86 = 'C:\Windows\SysWOW64\rundll32.exe'
[*]    spawnto_x64 = 'C:\Windows\System32\dllhost.exe'

beacon> ak-settings spawnto_x86 C:\Windows\SysWOW64\dllhost.exe
[*] Updating the spawnto_x86 process to 'C:\Windows\SysWOW64\dllhost.exe'
[*] artifact kit settings:
[*]    service     = ''
[*]    spawnto_x86 = 'C:\Windows\SysWOW64\dllhost.exe'
[*]    spawnto_x64 = 'C:\Windows\System32\dllhost.exe'