T1218.011 Rundll32 Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousDLLs = dynamic(["zipfldr.dll", "ieframe.dll", "comsvcs.dll", "shell32.dll", "advpack.dll", "shdocvw.dll"]);
let SuspiciousFunctions = dynamic(["MiniDump", "Control_RunDLL", "RunHTMLApplication", "LaunchINFSection", "OpenURL"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| extend JavaScriptExec = ProcessCommandLine has_any ("javascript:", "mshtml", "RunHTMLApplication")
| extend RemoteSCT = ProcessCommandLine has_any ("http://", "https://", "GetObject(")
| extend MiniDump = ProcessCommandLine has "MiniDump"
| extend ControlPanel = ProcessCommandLine has_any ("Control_RunDLL", ".cpl")
| extend SuspiciousFunc = ProcessCommandLine has_any (SuspiciousFunctions)
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop")
| extend OrdinalLoad = ProcessCommandLine matches regex @",#\d+"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where JavaScriptExec or RemoteSCT or MiniDump or (SuspiciousPath and SuspiciousParent) or SuspiciousParent
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, JavaScriptExec, RemoteSCT, MiniDump, ControlPanel,
         SuspiciousPath, OrdinalLoad, SuspiciousParent
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software using rundll32.exe to load and execute DLL functions from Program Files, such as printer drivers, codec installers, and application extensions
Windows itself uses rundll32.exe for various system functions including Control Panel applets and shell extensions
Software deployment tools (SCCM) that use rundll32.exe to trigger installation DLL entry points
Security tools and EDR agents that may use rundll32.exe as part of their injection or hooking mechanisms

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\rundll32.exe" OR ParentImage="*\\rundll32.exe")
| eval JavaScriptExec=if(match(CommandLine, "(javascript:|mshtml|RunHTMLApplication)"), 1, 0)
| eval RemoteSCT=if(match(CommandLine, "(http[s]?://|GetObject\()"), 1, 0)
| eval MiniDump=if(match(CommandLine, "MiniDump"), 1, 0)
| eval ControlPanel=if(match(CommandLine, "(Control_RunDLL|\.cpl)"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop)"), 1, 0)
| eval OrdinalLoad=if(match(CommandLine, ",#[0-9]+"), 1, 0)
| eval OfficeParent=if(match(ParentImage, "(winword|excel|outlook|powerpnt)\.exe"), 1, 0)
| eval ScriptParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta)\.exe"), 1, 0)
| eval SuspiciousChild=if((ParentImage="*\\rundll32.exe") AND match(Image, "(cmd|powershell|wscript|cscript|net|certutil)\.exe"), 1, 0)
| eval RiskScore=JavaScriptExec + RemoteSCT + MiniDump + (SuspiciousPath * (OfficeParent + ScriptParent)) + OrdinalLoad + OfficeParent + SuspiciousChild
| where RiskScore > 0 OR SuspiciousChild=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, JavaScriptExec, RemoteSCT, MiniDump, ControlPanel, SuspiciousPath, OrdinalLoad, OfficeParent, ScriptParent, SuspiciousChild, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software using rundll32.exe to load and execute DLL functions from Program Files
Windows system functions using rundll32.exe for Control Panel applets and shell extensions
Software deployment tools using rundll32.exe to trigger installation DLL entry points
Security tools and EDR agents using rundll32.exe as part of their mechanisms

Elastic Security (EQL)

eql

sequence by host.id with maxspan=30s
  [process where event.type == "start"
   and process.name : "rundll32.exe"
   and (
     process.command_line : ("*javascript:*", "*mshtml*", "*RunHTMLApplication*") or
     process.command_line : ("*http://*", "*https://*", "*GetObject(*") or
     process.command_line : ("*MiniDump*") or
     process.command_line : ("*Control_RunDLL*", "*.cpl*") or
     (
       process.command_line : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*") and
       process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
                               "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
     ) or
     process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
                             "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe") or
     process.command_line : ("*,#[0-9]*")
   )
  ] by process.pid
  [any where true] by process.parent.pid

OR

process where event.type == "start"
and process.parent.name : "rundll32.exe"
and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "net.exe", "certutil.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate software installers and updaters that invoke rundll32.exe with Control_RunDLL to launch .cpl control panel applets (e.g., scheduled maintenance tools)
Enterprise IT management tools (SCCM, PDQ Deploy) that call rundll32.exe from cmd.exe or PowerShell scripts during software deployment workflows
Developers or security researchers invoking comsvcs.dll MiniDump for legitimate process dump analysis or debugging purposes on developer workstations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") MATCHES '(javascript:|mshtml|runhtmlapplication)' THEN 1 ELSE 0
  END AS javascript_exec,
  CASE
    WHEN LOWER("Command") MATCHES '(https?://|getobject\()' THEN 1 ELSE 0
  END AS remote_sct,
  CASE
    WHEN LOWER("Command") MATCHES 'minidump' THEN 1 ELSE 0
  END AS minidump_flag,
  CASE
    WHEN LOWER("Command") MATCHES '(control_rundll|\.cpl)' THEN 1 ELSE 0
  END AS control_panel,
  CASE
    WHEN LOWER("Command") MATCHES '(temp|appdata|downloads|public|desktop)' THEN 1 ELSE 0
  END AS suspicious_path,
  CASE
    WHEN LOWER("Command") MATCHES ',#[0-9]+' THEN 1 ELSE 0
  END AS ordinal_load,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '(winword|excel|outlook|powerpnt)\.exe' THEN 1 ELSE 0
  END AS office_parent,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '(cmd|powershell|wscript|cscript|mshta)\.exe' THEN 1 ELSE 0
  END AS script_parent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND ("EventID" = 4688 OR "EventID" = 1)
  AND (LOWER("Process Name") MATCHES '.*\\rundll32\.exe'
       OR LOWER("Command") MATCHES '.*rundll32.*')
  AND (
    LOWER("Command") MATCHES '(javascript:|mshtml|runhtmlapplication)'
    OR LOWER("Command") MATCHES '(https?://|getobject\()'
    OR LOWER("Command") MATCHES 'minidump'
    OR LOWER("Parent Process Name") MATCHES '(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe'
    OR LOWER("Command") MATCHES ',#[0-9]+'
  )
  AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via Windows Event Log DSM Microsoft Sysmon DSM

Required Tables

events

False Positives

Legitimate antivirus or endpoint detection products that use rundll32.exe with system DLLs during scanning or remediation routines, especially via PowerShell parent processes
Windows system maintenance tasks such as SFC or DISM wrappers that internally invoke rundll32.exe with shell32.dll functions from administrative cmd.exe sessions
Software deployment pipelines (SCCM, Intune) that chain PowerShell or cmd.exe to rundll32.exe for MSI-related installation helper calls

Sumo Logic CSE

sql

_sourceCategory=*WinEvent* OR _sourceCategory=*Sysmon* OR _sourceCategory=*endpoint*
| where EventID in ("1", "4688")
| where toLowerCase(process_name) matches "*rundll32.exe*" or toLowerCase(command_line) matches "*rundll32*"
| eval javascript_exec = if(matches(toLowerCase(command_line), ".*javascript:.*") or matches(toLowerCase(command_line), ".*mshtml.*") or matches(toLowerCase(command_line), ".*runhtmlapplication.*"), 1, 0)
| eval remote_sct = if(matches(command_line, ".*https?://.*") or matches(toLowerCase(command_line), ".*getobject\\(.*"), 1, 0)
| eval minidump_flag = if(matches(toLowerCase(command_line), ".*minidump.*"), 1, 0)
| eval control_panel = if(matches(toLowerCase(command_line), ".*control_rundll.*") or matches(toLowerCase(command_line), ".*\.cpl.*"), 1, 0)
| eval suspicious_path = if(matches(toLowerCase(command_line), ".*(temp|appdata|downloads|public|desktop).*"), 1, 0)
| eval ordinal_load = if(matches(command_line, ".*,#[0-9]+.*"), 1, 0)
| eval office_parent = if(matches(toLowerCase(parent_process), ".*(winword|excel|outlook|powerpnt)\.exe.*"), 1, 0)
| eval script_parent = if(matches(toLowerCase(parent_process), ".*(cmd|powershell|wscript|cscript|mshta)\.exe.*"), 1, 0)
| eval risk_score = javascript_exec + remote_sct + minidump_flag + (suspicious_path * (office_parent + script_parent)) + ordinal_load + office_parent + script_parent
| where risk_score > 0
| fields _messagetime, host, user, process_name, command_line, parent_process, parent_command_line, javascript_exec, remote_sct, minidump_flag, control_panel, suspicious_path, ordinal_load, office_parent, script_parent, risk_score
| sort by risk_score desc, _messagetime desc

high severity medium confidence

Data Sources

Sumo Logic Windows Event Log Source Sumo Logic Sysmon Source Sumo Logic Cloud SIEM (CSE) Windows normalized schema

Required Tables

_sourceCategory=*WinEvent* _sourceCategory=*Sysmon*

False Positives

Enterprise endpoint management agents (e.g., Tanium, BigFix) that spawn rundll32.exe with shell32.dll or advpack.dll from PowerShell as part of patch management workflows
Legitimate use of ieframe.dll or zipfldr.dll by Windows Explorer processes for archive browsing or web content rendering, occasionally triggered from script-based automation
Developer toolchains that use mshta.exe or cscript.exe as build-step wrappers which subsequently call rundll32.exe with benign system DLLs

Google Chronicle / SecOps

yaral

rule rundll32_proxy_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1218.011 rundll32.exe proxy execution abuse including JavaScript via mshtml, remote COM scriptlet loading, MiniDump credential dumping, ordinal-based DLL invocation, and suspicious parent process chains. Associated with Emotet, QakBot, Cobalt Strike, and FIN8."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.011"
    reference = "https://attack.mitre.org/techniques/T1218/011/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i).*\\rundll32\.exe$/
    (
      $e.target.process.command_line = /(?i)(javascript:|mshtml|RunHTMLApplication)/ or
      $e.target.process.command_line = /(?i)(https?:\/\/|GetObject\()/ or
      $e.target.process.command_line = /(?i)MiniDump/ or
      $e.target.process.command_line = /,#[0-9]+/ or
      $e.principal.process.file.full_path = /(?i).*(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe$/
    )
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $cmdline = $e.target.process.command_line
    $parent = $e.principal.process.file.full_path

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Event Logs forwarded to Chronicle Sysmon events ingested via Chronicle forwarder CrowdStrike Falcon telemetry via Chronicle integration

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Legitimate Group Policy processing by svchost.exe or mmc.exe that invokes rundll32.exe with shell32.dll Control_RunDLL for system management tasks
Help desk remote management tools such as ConnectWise or TeamViewer that chain PowerShell to rundll32.exe during remote support session initialization
Windows Installer (msiexec.exe) calling rundll32.exe with advpack.dll LaunchINFSection as part of standard software installation sequences

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i).*\\rundll32\.exe$/
| CommandLine = /(?i)(javascript:|mshtml|RunHTMLApplication|https?:\/\/|GetObject\(|MiniDump|Control_RunDLL|\.cpl|,#[0-9]+)/ OR ParentBaseFileName = /(?i)(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe$/
| eval(javascript_exec=if(CommandLine=/(?i)(javascript:|mshtml|RunHTMLApplication)/, 1, 0))
| eval(remote_sct=if(CommandLine=/(?i)(https?:\/\/|GetObject\()/, 1, 0))
| eval(minidump_flag=if(CommandLine=/(?i)MiniDump/, 1, 0))
| eval(control_panel=if(CommandLine=/(?i)(Control_RunDLL|\.cpl)/, 1, 0))
| eval(suspicious_path=if(CommandLine=/(?i)(Temp|AppData|Downloads|Public|Desktop)/, 1, 0))
| eval(ordinal_load=if(CommandLine=/,#[0-9]+/, 1, 0))
| eval(office_parent=if(ParentBaseFileName=/(?i)(winword|excel|outlook|powerpnt)\.exe$/, 1, 0))
| eval(script_parent=if(ParentBaseFileName=/(?i)(cmd|powershell|wscript|cscript|mshta)\.exe$/, 1, 0))
| eval(risk_score=javascript_exec + remote_sct + minidump_flag + suspicious_path * (office_parent + script_parent) + ordinal_load + office_parent + script_parent)
| where(risk_score > 0)
| groupBy([ComputerName, UserName, CommandLine, ParentBaseFileName, TargetProcessId], function=([max(risk_score), max(javascript_exec), max(remote_sct), max(minidump_flag), max(control_panel), max(suspicious_path), max(ordinal_load), max(office_parent), max(script_parent), count()]))
| sort(field=max_risk_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Falcon Insight XDR

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Falcon sensor updates or diagnostic routines that internally invoke rundll32.exe with system DLLs, potentially triggered via a PowerShell-based update script
Legitimate LOB (line-of-business) applications using ordinal-based exports (,#ordinal) for proprietary DLLs stored in user-writable paths as part of their standard plugin architecture
IT automation frameworks (Ansible, Puppet) executing PowerShell or cmd.exe wrappers that call rundll32.exe with advpack.dll or shell32.dll for Windows configuration management

Rundll32

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections