EXPLORE
Sign In
← Back to Explore
T1218.011

Rundll32

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>). Rundll32.exe can also be used to e...

Windows
73
Detections
4
Sources
26
Threat Actors

BY SOURCE

27elastic27sigma18splunk_escu1crowdstrike_cql

PROCEDURES (53)

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Script Execution Monitoring4 detections

Auto-extracted: 4 detections for script execution monitoring

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Privilege2 detections

Auto-extracted: 2 detections for privilege

Powershell2 detections

Auto-extracted: 2 detections for powershell

Child Process2 detections

Auto-extracted: 2 detections for child process

C22 detections

Auto-extracted: 2 detections for c2

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Remote2 detections

Auto-extracted: 2 detections for remote

Unusual2 detections

Auto-extracted: 2 detections for unusual

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Lsass1 detections

Auto-extracted: 1 detections for lsass

Inject1 detections

Auto-extracted: 1 detections for inject

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Http1 detections

Auto-extracted: 1 detections for http

Evasion1 detections

Auto-extracted: 1 detections for evasion

Privilege1 detections

Auto-extracted: 1 detections for privilege

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Registry1 detections

Auto-extracted: 1 detections for registry

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Download1 detections

Auto-extracted: 1 detections for download

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Registry1 detections

Auto-extracted: 1 detections for registry

Inject1 detections

Auto-extracted: 1 detections for inject

Dump1 detections

Auto-extracted: 1 detections for dump

Powershell1 detections

Auto-extracted: 1 detections for powershell

Bypass1 detections

Auto-extracted: 1 detections for bypass

Remote1 detections

Auto-extracted: 1 detections for remote

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Api1 detections

Auto-extracted: 1 detections for api

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Evasion1 detections

Auto-extracted: 1 detections for evasion

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Inject1 detections

Auto-extracted: 1 detections for inject

Child Process1 detections

Auto-extracted: 1 detections for child process

Http1 detections

Auto-extracted: 1 detections for http

Lsass1 detections

Auto-extracted: 1 detections for lsass

Lsass1 detections

Auto-extracted: 1 detections for lsass

Http1 detections

Auto-extracted: 1 detections for http

C21 detections

Auto-extracted: 1 detections for c2

Credential1 detections

Auto-extracted: 1 detections for credential

THREAT ACTORS (26)

APT19APT28APT3APT32APT38APT41Aquatic PandaBlue MockingbirdCarbanakCopyKittensDaggerflyFIN7Gamaredon GroupHAFNIUMKimsukyLazarus GroupLazyScripterMagic HoundMuddyWaterRedCurlSandworm TeamStorm-0501TA505TA551UNC3886Wizard Spider

DETECTIONS (73)

Bad Opsec Defaults Sacrificial Processes With Improper Arguments
sigmahigh
CobaltStrike Load by Rundll32
sigmahigh
Code Execution via Pcwutl.dll
sigmamedium
Command Shell Activity Started via RunDLL32
elasticlow
Delayed Execution via Ping
elasticlow
Execution from Unusual Directory - Command Line
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via OpenClaw Agent
elasticmedium
HackTool - F-Secure C3 Load by Rundll32
sigmacritical
HackTool - RedMimicry Winnti Playbook Execution
sigmahigh
HTML Help HH.EXE Suspicious Child Process
sigmahigh
LOLBin Rundll32
crowdstrike_cql
Outbound Network Connection To Public IP Via Winlogon
sigmamedium
Potential Command and Control via Internet Explorer
elasticmedium
Potential Credential Access via Renamed COM+ Services DLL
elastichigh
Potential Credential Access via Windows Utilities
elastichigh
Potential Local NTLM Relay via HTTP
elastichigh
Potential PowerShell Execution Via DLL
sigmahigh
Potential Protocol Tunneling via Yuze
elasticmedium
Potentially Suspicious Rundll32 Activity
sigmamedium
Potentially Suspicious Rundll32.EXE Execution of UDL File
sigmamedium
Process Access via TrolleyExpress Exclusion
sigmahigh
Rare Connection to WebDAV Target
elasticmedium
Remote Thread Creation Via PowerShell In Uncommon Target
sigmamedium
RunDLL Loading DLL By Ordinal
splunk_escu
Rundll32 Control RunDLL Hunt
splunk_escu
Rundll32 Control RunDLL World Writable Directory
splunk_escu
Rundll32 DNSQuery
splunk_escu
Rundll32 Execution With Uncommon DLL Extension
sigmamedium
Rundll32 InstallScreenSaver Execution
sigmamedium
Rundll32 Internet Connection
sigmamedium
Rundll32 LockWorkStation
splunk_escu
Rundll32 Process Creating Exe Dll Files
splunk_escu
RunDLL32 Spawning Explorer
sigmahigh
Rundll32 UNC Path Execution
sigmahigh
Rundll32 with no Command Line Arguments with Network
splunk_escu
SCR File Write Event
sigmamedium
ScreenSaver Registry Key Set
sigmamedium
Script Execution via Microsoft HTML Application
elastichigh
Service Control Spawned via Script Interpreter
elasticlow
Shell32 DLL Execution in Suspicious Directory
sigmahigh
Suspicious .NET Code Compilation
elasticmedium
Suspicious Control Panel DLL Load
sigmahigh
Suspicious Execution from a Mounted Device
elasticmedium
Suspicious Execution from VS Code Extension
elasticmedium
Suspicious Explorer Child Process
elasticmedium
Suspicious HH.EXE Execution
sigmahigh
Suspicious IcedID Rundll32 Cmdline
splunk_escu
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Microsoft HTML Application Child Process
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious Rundll32 Activity Invoking Sys File
sigmahigh
Suspicious Rundll32 dllregisterserver
splunk_escu
Suspicious Rundll32 Execution With Image Extension
sigmahigh
Suspicious Rundll32 no Command Line Arguments
splunk_escu
Suspicious Rundll32 PluginInit
splunk_escu
Suspicious Rundll32 Setupapi.dll Activity
sigmamedium
Suspicious Rundll32 StartW
splunk_escu
Suspicious ScreenConnect Client Child Process
elasticmedium
Suspicious Shell Execution via Velociraptor
elasticmedium
Suspicious ShellExec_RunDLL Call Via Ordinal
sigmahigh
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastichigh
Unsigned DLL Loaded by Windows Utility
sigmamedium
Unusual Child Processes of RunDLL32
elastichigh
Unusual Network Connection via RunDLL32
elasticmedium
Windows Application Whitelisting Bypass Attempt via Rundll32
splunk_escu
Windows LOLBAS Executed As Renamed File
splunk_escu
Windows LOLBAS Executed Outside Expected Path
splunk_escu
Windows Rundll32 Apply User Settings Changes
splunk_escu
Windows Rundll32 Load DLL in Temp Dir
splunk_escu
Windows Rundll32 with Non-Standard File Extension
splunk_escu
Windows Server Update Service Spawning Suspicious Processes
elastichigh