{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/command-shell/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["execution","command-shell","rundll32"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly abuse RunDLL32, a legitimate Windows utility, to execute malicious code by hosting it within DLLs. This technique allows adversaries to launch command shells like cmd.exe or PowerShell, effectively bypassing traditional security controls. Defenders should be aware of this technique because it provides a stealthy way for attackers to execute arbitrary commands, potentially leading to further compromise of the system. This activity is detected by monitoring for command shells initiated by RunDLL32, while excluding known benign patterns to reduce false positives. The detection rule was last updated on 2026/05/04 and supports multiple data sources, including Elastic Defend, Microsoft Defender XDR, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses RunDLL32.exe to execute a malicious DLL.\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe loads the specified DLL into memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL contains code to execute a command shell (cmd.exe or powershell.exe).\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe spawns a command shell process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command shell to execute commands for reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the command shell to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command shell to perform lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the compromised system. While the rule is rated \u0026ldquo;low\u0026rdquo; severity, this initial access can lead to credential access (T1552) and further lateral movement within the network. Attackers can potentially gain full control of the system, leading to data theft, system disruption, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Command Shell Activity Started via RunDLL32\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview the process details of RunDLL32.exe to confirm the parent-child relationship with the command shell, helping to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring for rundll32.exe and related processes to detect similar activities in the future and improve response times.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rundll32-cmd-shell/","summary":"This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.","title":"Command Shell Activity Started via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2026-05-rundll32-cmd-shell/"}],"language":"en","title":"CraftedSignal Threat Feed — Command-Shell","version":"https://jsonfeed.org/version/1.1"}