T1218.011 Elastic Security · Elastic

Detect Rundll32 in Elastic Security

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe avoids triggering security tools that allowlist it or ignore it due to high noise. Rundll32 can execute DLL payloads, Control Panel items (.cpl via Control_RunDLL), JavaScript (via mshtml,RunHTMLApplication), remote COM scriptlets, and system DLLs (zipfldr.dll, ieframe.dll). Adversaries may also export DLL functions by ordinal number or obscure function names by appending W/A character set suffixes. Widely used by InvisiMole, Latrodectus, FIN8, APT28, BoomBox, MegaCortex, QakBot, Emotet, Cobalt Strike, and many ransomware families.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.011 Rundll32
Canonical reference
https://attack.mitre.org/techniques/T1218/011/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=30s
  [process where event.type == "start"
   and process.name : "rundll32.exe"
   and (
     process.command_line : ("*javascript:*", "*mshtml*", "*RunHTMLApplication*") or
     process.command_line : ("*http://*", "*https://*", "*GetObject(*") or
     process.command_line : ("*MiniDump*") or
     process.command_line : ("*Control_RunDLL*", "*.cpl*") or
     (
       process.command_line : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*") and
       process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
                               "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
     ) or
     process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
                             "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe") or
     process.command_line : ("*,#[0-9]*")
   )
  ] by process.pid
  [any where true] by process.parent.pid

OR

process where event.type == "start"
and process.parent.name : "rundll32.exe"
and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "net.exe", "certutil.exe")
high severity high confidence

Detects suspicious rundll32.exe execution patterns including JavaScript proxy execution via mshtml, remote SCT/COM scriptlet loading via HTTP(S) or GetObject, LSASS MiniDump via comsvcs.dll, Control Panel item abuse, ordinal-based DLL loading, and suspicious parent-child relationships indicative of T1218.011 abuse by families such as Emotet, QakBot, and Cobalt Strike.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Legitimate software installers and updaters that invoke rundll32.exe with Control_RunDLL to launch .cpl control panel applets (e.g., scheduled maintenance tools)
  • Enterprise IT management tools (SCCM, PDQ Deploy) that call rundll32.exe from cmd.exe or PowerShell scripts during software deployment workflows
  • Developers or security researchers invoking comsvcs.dll MiniDump for legitimate process dump analysis or debugging purposes on developer workstations
Download portable Sigma rule (.yml)

Other platforms for T1218.011

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rundll32 LSASS Dump via comsvcs.dll MiniDump

    Expected signal: Sysmon Event ID 1: powershell.exe then rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 10 (Process Access): rundll32.exe accessing lsass.exe. Sysmon Event ID 11: lsass.dmp file created in Temp. Windows Defender will likely block this on patched systems.

  2. Test 2Rundll32 JavaScript Execution via mshtml

    Expected signal: Sysmon Event ID 1: rundll32.exe with javascript: and mshtml in command line. If WScript.Shell successfully runs calc.exe, a child process creation event for calc.exe with ParentImage=rundll32.exe will appear.

  3. Test 3Rundll32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: rundll32.exe with ordinal (#1) and Temp path. Sysmon Event ID 7: DLL loaded by rundll32.exe. Security Event ID 4688.

Last updated: 2026-04-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1003.001LSASS MemoryT1059.007JavaScriptT1218.010Regsvr32T1218.002Control PanelT1546.015Component Object Model HijackingT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections