Command-Shell — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/command-shell/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 14:17:05 +0000Command Shell Activity Started via RunDLL32https://feed.craftedsignal.io/briefs/2026-05-rundll32-cmd-shell/Mon, 04 May 2026 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-rundll32-cmd-shell/This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.Attackers commonly abuse RunDLL32, a legitimate Windows utility, to execute malicious code by hosting it within DLLs. This technique allows adversaries to launch command shells like cmd.exe or PowerShell, effectively bypassing traditional security controls. Defenders should be aware of this technique because it provides a stealthy way for attackers to execute arbitrary commands, potentially leading to further compromise of the system. This activity is detected by monitoring for command shells initiated by RunDLL32, while excluding known benign patterns to reduce false positives. The detection rule was last updated on 2026/05/04 and supports multiple data sources, including Elastic Defend, Microsoft Defender XDR, and Sysmon.

Attack Chain

  1. The attacker gains initial access to the system through an exploit or social engineering.
  2. The attacker uses RunDLL32.exe to execute a malicious DLL.
  3. RunDLL32.exe loads the specified DLL into memory.
  4. The malicious DLL contains code to execute a command shell (cmd.exe or powershell.exe).
  5. RunDLL32.exe spawns a command shell process.
  6. The attacker uses the command shell to execute commands for reconnaissance.
  7. The attacker may use the command shell to download additional payloads.
  8. The attacker leverages the command shell to perform lateral movement.

Impact

Successful exploitation allows attackers to execute arbitrary commands on the compromised system. While the rule is rated “low” severity, this initial access can lead to credential access (T1552) and further lateral movement within the network. Attackers can potentially gain full control of the system, leading to data theft, system disruption, or other malicious activities.

Recommendation

  • Deploy the Sigma rule “Command Shell Activity Started via RunDLL32” to your SIEM and tune for your environment.
  • Enable Sysmon process creation logging (Event ID 1) to provide the necessary data for this detection.
  • Review the process details of RunDLL32.exe to confirm the parent-child relationship with the command shell, helping to reduce false positives.
  • Implement enhanced monitoring for rundll32.exe and related processes to detect similar activities in the future and improve response times.
]]>lowadvisoryexecutioncommand-shellrundll32