Detects the execution of rundll32 with a command line that doesn't contain a common extension

Read More

Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.

Read More

Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.

Read More

Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.

Read More

Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

Read More

Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.

Read More

Detects the creation of a remote thread from a Powershell process in an uncommon target process

Read More

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Read More

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.

Read More

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse the technique as a phishing vector to capture authentication credentials or other sensitive data.

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

Read More

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

Read More

Detects a specific export function name used by one of EquationGroup tools

Read More

Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report

Read More

Detects Archer malware invocation via rundll32

Read More

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

Read More

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID

Read More

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Read More

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

Read More

Detects remote thread injection events based on action seen used by bumblebee

Read More

Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL

Read More

Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.

Read More

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Read More

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Read More

Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023

Read More

An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver

Read More

Detects a rundll32 that communicates with public IP addresses

Read More

Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way

Read More

Detects rundll32 execution where the DLL is located on a remote location (share)

Read More

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Read More

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Read More

Detects shell32.dll executing a DLL in a suspicious directory

Read More

Detects Trojan loader activity as used by APT28

Read More

Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452

Read More

Detects the execution of Rundll32.exe with DLL files masquerading as image files

Read More

setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.

Read More

Detects a ZxShell start by the called and well-known function name

Read More

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. Adversaries will often supply the same DLL to rundll32.exe as well. Executing the DllRegisterServer export function with rundll32.exe is tradecraft that’s unique to adversary behavior and is rarely seen in legitimate scenarios. We’ve observed this behavior in threats including Qbot, Ursnif, and Zloader, to name a few examples. Part of the RedCanary 2024 Threat Detection Report.

Read More

The following pseudo-detector should help security teams detect instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2024 Threat Detection Report.

Read More

As is the case with most techniques in this report, it's critical that you are able to take stock of what is normal in your environment if you hope to be able to identify what isn't. In the context of Rundll32, you’ll want to monitor for executions of rundll32.exe from unusual parent processes, and the following pseudo-analytic—based on an amalgamation of Red Canary detection logic—should help security teams do just that. Part of the RedCanary 2024 Threat Detection Report.

Read More

Rundll32 does not normally execute without corresponding command-line arguments and while spawning a child process. Given this, you may want to alert on the execution of processes that appear to be rundll32.exe without any command-line arguments , especially when they spawn child processes or make network connections. Part of the RedCanary 2024 Threat Detection Report.

Read More

Consider monitoring for instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. The following pseudo-analytic applies specifically to adversaries who use the MiniDump export functionality of comsvcs.dll to dump the contents of LSASS, but this logic could be adapted to detect other malicious activity as well. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the DllRegisterServer export function implemented with Rundll32. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of Rundll32 being spawned by unusual or suspicious parent processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of Rundll32 without a command line spawning child processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. This detects use of the same DLL to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects executions of rundll32.exe from unusual or suspicious parent processes. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of rundll32.exe with no command line that spawns a child process. Inspired by the 2022 Red Canary Threat Detection report.

Read More