Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be “executed” is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.

ATT&CK Detection

Technique Tactic Level of Coverage
Rundll32 Defense Evasion High

Pseudocode

When looking for all instances of RunDLL32, it is imperative to also have the command line information, which contains the DLL information, including the name, entry point, and optional arguments.

process = search Process:Create
rundll32 = filter process where (exe == "rundll32.exe")
output rundll32

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Description: Execute rundll32.exe from a command window
  • Commands:
    c:\windows\syswow64\rundll32.exe
    RUNDLL32.EXE SHELL32.DLL,Control_RunDLL desk.cpl,,0
    

Data Model References

Object Action Field
process create exe
process create command_line