Detects suspicious process related to rundll32 based on arguments

Read More

Detects the execution of rundll32 with a command line that doesn't contain a .dll file

Read More

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Read More

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Read More

Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

Read More

Detects a specific export function name used by one of EquationGroup tools

Read More

Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL

Read More

Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll

Read More

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Read More

Detects a rundll32 that communicates with public IP addresses

Read More

Detects Trojan loader activity as used by APT28

Read More

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Read More

Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way

Read More

Detects rundll32 execution where the DLL is located on a remote location (share)

Read More

Detects remote thread injection events based on action seen used by bumblebee

Read More

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Read More

Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID

Read More

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Read More

An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report

Read More

Detects Archer malware invocation via rundll32

Read More

Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023

Read More

Detects a ZxShell start by the called and well-known function name

Read More

Detects the DllRegisterServer export function implemented with Rundll32. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of Rundll32 being spawned by unusual or suspicious parent processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of Rundll32 without a command line spawning child processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects the execution of Rundll32.exe with DLL files masquerading as image files

Read More

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

Read More

Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits

Read More

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Read More

Detects shell32.dll executing a DLL in a suspicious directory

Read More

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

Read More

Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452

Read More

setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.

Read More

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

Read More

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. This detects use of the same DLL to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects executions of rundll32.exe from unusual or suspicious parent processes. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of rundll32.exe with no command line that spawns a child process. Inspired by the 2022 Red Canary Threat Detection report.

Read More