T1218.011 Google Chronicle · YARA-L

Detect Rundll32 in Google Chronicle

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe avoids triggering security tools that allowlist it or ignore it due to high noise. Rundll32 can execute DLL payloads, Control Panel items (.cpl via Control_RunDLL), JavaScript (via mshtml,RunHTMLApplication), remote COM scriptlets, and system DLLs (zipfldr.dll, ieframe.dll). Adversaries may also export DLL functions by ordinal number or obscure function names by appending W/A character set suffixes. Widely used by InvisiMole, Latrodectus, FIN8, APT28, BoomBox, MegaCortex, QakBot, Emotet, Cobalt Strike, and many ransomware families.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.011 Rundll32
Canonical reference
https://attack.mitre.org/techniques/T1218/011/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule rundll32_proxy_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1218.011 rundll32.exe proxy execution abuse including JavaScript via mshtml, remote COM scriptlet loading, MiniDump credential dumping, ordinal-based DLL invocation, and suspicious parent process chains. Associated with Emotet, QakBot, Cobalt Strike, and FIN8."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.011"
    reference = "https://attack.mitre.org/techniques/T1218/011/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i).*\\rundll32\.exe$/
    (
      $e.target.process.command_line = /(?i)(javascript:|mshtml|RunHTMLApplication)/ or
      $e.target.process.command_line = /(?i)(https?:\/\/|GetObject\()/ or
      $e.target.process.command_line = /(?i)MiniDump/ or
      $e.target.process.command_line = /,#[0-9]+/ or
      $e.principal.process.file.full_path = /(?i).*(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe$/
    )
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $cmdline = $e.target.process.command_line
    $parent = $e.principal.process.file.full_path

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1218.011 rundll32.exe proxy execution by matching process launch events where rundll32.exe executes with command-line patterns indicative of JavaScript proxy execution, remote COM scriptlet loading via HTTP(S) or GetObject, LSASS credential dumping via MiniDump, ordinal-based loading, or a suspicious Office/script interpreter parent process.

Data Sources

Google Chronicle UDM (Unified Data Model)Windows Event Logs forwarded to ChronicleSysmon events ingested via Chronicle forwarderCrowdStrike Falcon telemetry via Chronicle integration

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives & Tuning

  • Legitimate Group Policy processing by svchost.exe or mmc.exe that invokes rundll32.exe with shell32.dll Control_RunDLL for system management tasks
  • Help desk remote management tools such as ConnectWise or TeamViewer that chain PowerShell to rundll32.exe during remote support session initialization
  • Windows Installer (msiexec.exe) calling rundll32.exe with advpack.dll LaunchINFSection as part of standard software installation sequences
Download portable Sigma rule (.yml)

Other platforms for T1218.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rundll32 LSASS Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: powershell.exe then rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 10 (Process Access): rundll32.exe accessing lsass.exe. Sysmon Event ID 11: lsass.dmp file created in Temp. Windows Defender will likely block this on patched systems.

  2. Test 2Rundll32 JavaScript Execution via mshtml

    Expected signal: Sysmon Event ID 1: rundll32.exe with javascript: and mshtml in command line. If WScript.Shell successfully runs calc.exe, a child process creation event for calc.exe with ParentImage=rundll32.exe will appear.

  3. Test 3Rundll32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: rundll32.exe with ordinal (#1) and Temp path. Sysmon Event ID 7: DLL loaded by rundll32.exe. Security Event ID 4688.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1003.001LSASS MemoryT1059.007JavaScriptT1218.010Regsvr32T1218.002Control PanelT1546.015Component Object Model HijackingT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections