{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rundll32/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["execution","command-shell","rundll32"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly abuse RunDLL32, a legitimate Windows utility, to execute malicious code by hosting it within DLLs. This technique allows adversaries to launch command shells like cmd.exe or PowerShell, effectively bypassing traditional security controls. Defenders should be aware of this technique because it provides a stealthy way for attackers to execute arbitrary commands, potentially leading to further compromise of the system. This activity is detected by monitoring for command shells initiated by RunDLL32, while excluding known benign patterns to reduce false positives. The detection rule was last updated on 2026/05/04 and supports multiple data sources, including Elastic Defend, Microsoft Defender XDR, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses RunDLL32.exe to execute a malicious DLL.\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe loads the specified DLL into memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL contains code to execute a command shell (cmd.exe or powershell.exe).\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe spawns a command shell process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command shell to execute commands for reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the command shell to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command shell to perform lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the compromised system. While the rule is rated \u0026ldquo;low\u0026rdquo; severity, this initial access can lead to credential access (T1552) and further lateral movement within the network. Attackers can potentially gain full control of the system, leading to data theft, system disruption, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Command Shell Activity Started via RunDLL32\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview the process details of RunDLL32.exe to confirm the parent-child relationship with the command shell, helping to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring for rundll32.exe and related processes to detect similar activities in the future and improve response times.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rundll32-cmd-shell/","summary":"This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.","title":"Command Shell Activity Started via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2026-05-rundll32-cmd-shell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ads","rundll32","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRundll32 is a legitimate Windows utility used to execute DLLs. However, adversaries can abuse this functionality to execute malicious code while evading detection. This technique involves storing a malicious DLL within an Alternate Data Stream (ADS) of a file. ADS allows hiding data within existing files, making it less likely to be discovered by standard file system scans. When rundll32.exe is then used to execute the DLL from the ADS, it can bypass application whitelisting and other security measures, as the execution appears to originate from the trusted rundll32.exe process. This technique has been observed across various threat actors seeking to establish persistence or execute arbitrary code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods like phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious DLL to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line utility to write the DLL into an Alternate Data Stream (ADS) of an existing file, such as a text file or image. For example: \u003ccode\u003eecho \u0026quot;DLL content\u0026quot; \u0026gt; legitimate_file.txt:malicious.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the DLL stored in the ADS. The command typically looks like: \u003ccode\u003erundll32.exe \u0026quot;C:\\ads\\file.txt:ADSDLL.dll\u0026quot;,DllMain\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRundll32.exe loads and executes the malicious DLL from the ADS.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing persistence, downloading additional payloads, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use additional techniques to further conceal their activity, such as obfuscating the command line or using process injection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows arbitrary code execution on the targeted system. Attackers can use this technique to establish persistence, escalate privileges, bypass security controls, and deploy further malware. The use of ADS makes detection more challenging, as the malicious DLL is hidden within a seemingly benign file. This can lead to data breaches, system compromise, and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments used with \u003ccode\u003erundll32.exe\u003c/code\u003e (as used in the Sigma rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious \u003ccode\u003erundll32.exe\u003c/code\u003e executions from ADS.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual file modifications that involve writing data to alternate data streams.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T15:30:00Z","date_published":"2024-01-08T15:30:00Z","id":"/briefs/2024-01-08-rundll32-ads/","summary":"Adversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.","title":"Rundll32 Execution with DLL Stored in Alternate Data Stream (ADS)","url":"https://feed.craftedsignal.io/briefs/2024-01-08-rundll32-ads/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","rundll32"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies instances where \u003ccode\u003erundll32.exe\u003c/code\u003e is executed without arguments or with malformed arguments, immediately followed by the execution of a child process. This behavior is atypical, as \u003ccode\u003erundll32.exe\u003c/code\u003e is normally invoked with specific parameters indicating a DLL, export, or Control_RunDLL target. Attackers may exploit this by using \u003ccode\u003erundll32.exe\u003c/code\u003e as a proxy to execute other malicious payloads or for command and control. The detection logic focuses on identifying instances where the argument count is one and the command line does not conform to expected patterns. This behavior has been observed being used by malware to evade traditional detection methods by proxying execution through a trusted Windows utility. This rule is applicable to endpoint telemetry, Windows event logs, and Crowdstrike FDR data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn initial access vector, such as a phishing email or exploit, delivers an initial payload to the system.\u003c/li\u003e\n\u003cli\u003eThe initial payload executes, potentially dropping or creating a file on disk, or directly invoking rundll32.exe.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erundll32.exe\u003c/code\u003e is executed without arguments, or with malformed arguments, bypassing typical usage patterns. This is the key indicator the rule detects.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erundll32.exe\u003c/code\u003e spawns a child process, which could be a script interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e), another executable, or a network utility.\u003c/li\u003e\n\u003cli\u003eThe child process executes malicious code, downloads additional payloads, or establishes a command and control connection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the child process for lateral movement or privilege escalation within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective could include data exfiltration, ransomware deployment, or persistent access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe adversary uses \u003ccode\u003erundll32.exe\u003c/code\u003e to hide the execution of the malicious process and blend into normal system activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to gain control of the affected system. This can result in data breaches, system compromise, and potential lateral movement within the network. The use of a trusted system binary like \u003ccode\u003erundll32.exe\u003c/code\u003e makes detection more challenging. It affects Windows systems and can be used in targeted attacks as well as widespread campaigns. Organizations failing to detect this behavior are at risk of significant data loss and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual RunDLL32 Child Process\u003c/code\u003e to your SIEM and tune for your environment to detect the execution of \u003ccode\u003erundll32.exe\u003c/code\u003e without arguments, followed by a child process.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the legitimacy of the \u003ccode\u003erundll32.exe\u003c/code\u003e execution and the spawned child process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables in your environment, mitigating the impact of this technique.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for unusual parent-child relationships involving \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-rundll32-no-args/","summary":"The execution of `rundll32.exe` without arguments, followed by a child process execution, indicates potential abuse of Rundll32 for proxy execution or payload handoff, often employed for defense evasion on Windows systems.","title":"Unusual Child Processes of RunDLL32 Execution Without Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-rundll32-no-args/"}],"language":"en","title":"CraftedSignal Threat Feed — Rundll32","version":"https://jsonfeed.org/version/1.1"}