Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be “executed” is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Signed Binary Proxy Execution Rundll32 Defense Evasion Moderate

Data Model References

Object Action Field
process create exe
process create command_line

Implementations

Pseudocode

When looking for all instances of RunDLL32, it is imperative to also have the command_line information, which contains the DLL information, including the name, entry point, and optional arguments.

process = search Process:Create
rundll32 = filter process where (exe == "rundll32.exe")
output rundll32

Dnif, Sysmon native

DNIF version of the above pseudocode.

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=rundll32.exe limit 100

Unit Tests

Test Case 1

Configurations: Windows 7

Execute rundll32.exe from a command window

c:\windows\syswow64\rundll32.exe
RUNDLL32.EXE SHELL32.DLL,Control_RunDLL desk.cpl,,0