Rundll32 — CraftedSignal Threat Feed

Command Shell Activity Started via RunDLL32

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

Attackers commonly abuse RunDLL32, a legitimate Windows utility, to execute malicious code by hosting it within DLLs. This technique allows adversaries to launch command shells like cmd.exe or PowerShell, effectively bypassing traditional security controls. Defenders should be aware of this technique because it provides a stealthy way for attackers to execute arbitrary commands, potentially leading to further compromise of the system. This activity is detected by monitoring for command shells initiated by RunDLL32, while excluding known benign patterns to reduce false positives. The detection rule was last updated on 2026/05/04 and supports multiple data sources, including Elastic Defend, Microsoft Defender XDR, and Sysmon.

Attack Chain

The attacker gains initial access to the system through an exploit or social engineering.
The attacker uses RunDLL32.exe to execute a malicious DLL.
RunDLL32.exe loads the specified DLL into memory.
The malicious DLL contains code to execute a command shell (cmd.exe or powershell.exe).
RunDLL32.exe spawns a command shell process.
The attacker uses the command shell to execute commands for reconnaissance.
The attacker may use the command shell to download additional payloads.
The attacker leverages the command shell to perform lateral movement.

Impact

Successful exploitation allows attackers to execute arbitrary commands on the compromised system. While the rule is rated “low” severity, this initial access can lead to credential access (T1552) and further lateral movement within the network. Attackers can potentially gain full control of the system, leading to data theft, system disruption, or other malicious activities.

Recommendation

Deploy the Sigma rule “Command Shell Activity Started via RunDLL32” to your SIEM and tune for your environment.
Enable Sysmon process creation logging (Event ID 1) to provide the necessary data for this detection.
Review the process details of RunDLL32.exe to confirm the parent-child relationship with the command shell, helping to reduce false positives.
Implement enhanced monitoring for rundll32.exe and related processes to detect similar activities in the future and improve response times.

Rundll32 Execution with DLL Stored in Alternate Data Stream (ADS)

hello@craftedsignal.io — Mon, 08 Jan 2024 15:30:00 +0000

Rundll32 is a legitimate Windows utility used to execute DLLs. However, adversaries can abuse this functionality to execute malicious code while evading detection. This technique involves storing a malicious DLL within an Alternate Data Stream (ADS) of a file. ADS allows hiding data within existing files, making it less likely to be discovered by standard file system scans. When rundll32.exe is then used to execute the DLL from the ADS, it can bypass application whitelisting and other security measures, as the execution appears to originate from the trusted rundll32.exe process. This technique has been observed across various threat actors seeking to establish persistence or execute arbitrary code.

Attack Chain

An attacker gains initial access to the system through methods like phishing or exploiting a vulnerability.
The attacker uploads a malicious DLL to the target system.
The attacker uses a command-line utility to write the DLL into an Alternate Data Stream (ADS) of an existing file, such as a text file or image. For example: echo "DLL content" > legitimate_file.txt:malicious.dll.
The attacker uses rundll32.exe to execute the DLL stored in the ADS. The command typically looks like: rundll32.exe "C:\ads\file.txt:ADSDLL.dll",DllMain.
Rundll32.exe loads and executes the malicious DLL from the ADS.
The malicious DLL performs its intended actions, such as establishing persistence, downloading additional payloads, or exfiltrating data.
The attacker may use additional techniques to further conceal their activity, such as obfuscating the command line or using process injection.

Impact

Successful exploitation allows arbitrary code execution on the targeted system. Attackers can use this technique to establish persistence, escalate privileges, bypass security controls, and deploy further malware. The use of ADS makes detection more challenging, as the malicious DLL is hidden within a seemingly benign file. This can lead to data breaches, system compromise, and potential financial losses.

Recommendation

Enable Sysmon process creation logging to capture the command-line arguments used with rundll32.exe (as used in the Sigma rules below).
Deploy the Sigma rules in this brief to your SIEM to detect suspicious rundll32.exe executions from ADS.
Monitor for unusual file modifications that involve writing data to alternate data streams.
Implement application whitelisting to restrict the execution of unauthorized executables.

Unusual Child Processes of RunDLL32 Execution Without Arguments

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This detection identifies instances where rundll32.exe is executed without arguments or with malformed arguments, immediately followed by the execution of a child process. This behavior is atypical, as rundll32.exe is normally invoked with specific parameters indicating a DLL, export, or Control_RunDLL target. Attackers may exploit this by using rundll32.exe as a proxy to execute other malicious payloads or for command and control. The detection logic focuses on identifying instances where the argument count is one and the command line does not conform to expected patterns. This behavior has been observed being used by malware to evade traditional detection methods by proxying execution through a trusted Windows utility. This rule is applicable to endpoint telemetry, Windows event logs, and Crowdstrike FDR data.

Attack Chain

An initial access vector, such as a phishing email or exploit, delivers an initial payload to the system.
The initial payload executes, potentially dropping or creating a file on disk, or directly invoking rundll32.exe.
rundll32.exe is executed without arguments, or with malformed arguments, bypassing typical usage patterns. This is the key indicator the rule detects.
rundll32.exe spawns a child process, which could be a script interpreter (e.g., powershell.exe, cmd.exe), another executable, or a network utility.
The child process executes malicious code, downloads additional payloads, or establishes a command and control connection.
The attacker leverages the child process for lateral movement or privilege escalation within the network.
The final objective could include data exfiltration, ransomware deployment, or persistent access to the compromised system.
The adversary uses rundll32.exe to hide the execution of the malicious process and blend into normal system activity.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to gain control of the affected system. This can result in data breaches, system compromise, and potential lateral movement within the network. The use of a trusted system binary like rundll32.exe makes detection more challenging. It affects Windows systems and can be used in targeted attacks as well as widespread campaigns. Organizations failing to detect this behavior are at risk of significant data loss and operational disruption.

Recommendation

Deploy the Sigma rule Unusual RunDLL32 Child Process to your SIEM and tune for your environment to detect the execution of rundll32.exe without arguments, followed by a child process.
Enable Sysmon process creation logging (Event ID 1) to collect the necessary data for the Sigma rule.
Investigate any alerts generated by this rule to determine the legitimacy of the rundll32.exe execution and the spawned child process.
Implement application control policies to restrict the execution of unsigned or untrusted executables in your environment, mitigating the impact of this technique.
Monitor process execution events for unusual parent-child relationships involving rundll32.exe.