Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be “executed” is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.
|Technique||Tactic||Level of Coverage|
When looking for all instances of RunDLL32, it is imperative to also have the command line information, which contains the DLL information, including the name, entry point, and optional arguments.
process = search Process:Create rundll32 = filter process where (exe == "rundll32.exe") output rundll32
Test Case 1:
- Configurations: Windows 7
- Description: Execute rundll32.exe from a command window
c:\windows\syswow64\rundll32.exe RUNDLL32.EXE SHELL32.DLL,Control_RunDLL desk.cpl,,0
Data Model References