Detect Rundll32 in CrowdStrike LogScale
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe avoids triggering security tools that allowlist it or ignore it due to high noise. Rundll32 can execute DLL payloads, Control Panel items (.cpl via Control_RunDLL), JavaScript (via mshtml,RunHTMLApplication), remote COM scriptlets, and system DLLs (zipfldr.dll, ieframe.dll). Adversaries may also export DLL functions by ordinal number or obscure function names by appending W/A character set suffixes. Widely used by InvisiMole, Latrodectus, FIN8, APT28, BoomBox, MegaCortex, QakBot, Emotet, Cobalt Strike, and many ransomware families.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.011 Rundll32
- Canonical reference
- https://attack.mitre.org/techniques/T1218/011/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i).*\\rundll32\.exe$/
| CommandLine = /(?i)(javascript:|mshtml|RunHTMLApplication|https?:\/\/|GetObject\(|MiniDump|Control_RunDLL|\.cpl|,#[0-9]+)/ OR ParentBaseFileName = /(?i)(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe$/
| eval(javascript_exec=if(CommandLine=/(?i)(javascript:|mshtml|RunHTMLApplication)/, 1, 0))
| eval(remote_sct=if(CommandLine=/(?i)(https?:\/\/|GetObject\()/, 1, 0))
| eval(minidump_flag=if(CommandLine=/(?i)MiniDump/, 1, 0))
| eval(control_panel=if(CommandLine=/(?i)(Control_RunDLL|\.cpl)/, 1, 0))
| eval(suspicious_path=if(CommandLine=/(?i)(Temp|AppData|Downloads|Public|Desktop)/, 1, 0))
| eval(ordinal_load=if(CommandLine=/,#[0-9]+/, 1, 0))
| eval(office_parent=if(ParentBaseFileName=/(?i)(winword|excel|outlook|powerpnt)\.exe$/, 1, 0))
| eval(script_parent=if(ParentBaseFileName=/(?i)(cmd|powershell|wscript|cscript|mshta)\.exe$/, 1, 0))
| eval(risk_score=javascript_exec + remote_sct + minidump_flag + suspicious_path * (office_parent + script_parent) + ordinal_load + office_parent + script_parent)
| where(risk_score > 0)
| groupBy([ComputerName, UserName, CommandLine, ParentBaseFileName, TargetProcessId], function=([max(risk_score), max(javascript_exec), max(remote_sct), max(minidump_flag), max(control_panel), max(suspicious_path), max(ordinal_load), max(office_parent), max(script_parent), count()]))
| sort(field=max_risk_score, order=desc)Detects T1218.011 rundll32.exe proxy execution in CrowdStrike Falcon telemetry using ProcessRollup2 events. Evaluates command-line patterns for JavaScript execution via mshtml, remote COM scriptlet loading via HTTP/GetObject, LSASS MiniDump dumping, Control Panel abuse, ordinal-based DLL loading, and suspicious Office or script interpreter parent processes. Risk scoring is aggregated per host and process for analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor updates or diagnostic routines that internally invoke rundll32.exe with system DLLs, potentially triggered via a PowerShell-based update script
- Legitimate LOB (line-of-business) applications using ordinal-based exports (,#ordinal) for proprietary DLLs stored in user-writable paths as part of their standard plugin architecture
- IT automation frameworks (Ansible, Puppet) executing PowerShell or cmd.exe wrappers that call rundll32.exe with advpack.dll or shell32.dll for Windows configuration management
Other platforms for T1218.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rundll32 LSASS Dump via comsvcs.dll MiniDump
Expected signal: Sysmon Event ID 1: powershell.exe then rundll32.exe with comsvcs.dll and MiniDump in command line. Sysmon Event ID 10 (Process Access): rundll32.exe accessing lsass.exe. Sysmon Event ID 11: lsass.dmp file created in Temp. Windows Defender will likely block this on patched systems.
- Test 2Rundll32 JavaScript Execution via mshtml
Expected signal: Sysmon Event ID 1: rundll32.exe with javascript: and mshtml in command line. If WScript.Shell successfully runs calc.exe, a child process creation event for calc.exe with ParentImage=rundll32.exe will appear.
- Test 3Rundll32 DLL Execution from Temp Directory
Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: rundll32.exe with ordinal (#1) and Temp path. Sysmon Event ID 7: DLL loaded by rundll32.exe. Security Event ID 4688.
References (6)
- https://attack.mitre.org/techniques/T1218/011/
- https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
- https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md
- https://blog.f-secure.com/hunting-for-the-undefined-behavior-the-case-of-comsvcs-dll/
- https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security
Unlock Pro Content
Get the full detection package for T1218.011 including response playbook, investigation guide, and atomic red team tests.