Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Detects the creation of a remote thread from a Powershell process in a rundll32 process

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Detects the execution of Rundll32.exe with DLL files masquerading as image files

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Detects shell32.dll executing a DLL in a suspicious directory

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452

Detects suspicious process related to rundll32 based on arguments

setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver

Detects a rundll32 that communicates with public IP addresses

Detects rundll32 execution where the DLL is located on a remote location (share)

Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl