Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be “executed” is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|System Binary Proxy Execution||Rundll32||Defense Evasion||Moderate|
|D3-PSA||Process Spawn Analysis|
Data Model References
When looking for all instances of RunDLL32, it is imperative to also have the
command_line information, which contains the DLL information, including the name, entry point, and optional arguments.
process = search Process:Create rundll32 = filter process where (exe == "rundll32.exe") output rundll32
Dnif, Sysmon native
DNIF version of the above pseudocode.
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=rundll32.exe limit 100
Logpoint, LogPoint native
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=1 image="*\rundll32.exe"
Test Case 1
Configurations: Windows 7
Execute rundll32.exe from a command window
c:\windows\syswow64\rundll32.exe RUNDLL32.EXE SHELL32.DLL,Control_RunDLL desk.cpl,,0